diff options
| author | gtb <none@none> | 2007-09-14 15:01:24 -0700 |
|---|---|---|
| committer | gtb <none@none> | 2007-09-14 15:01:24 -0700 |
| commit | ab9b2e153c3a9a2b1141fefa87925b1a9beb1236 (patch) | |
| tree | 7462d47a265a89de34aa9a5952cf969af21b2b0a /usr/src/lib | |
| parent | 35ba209ea2294e52335d6bd3853eb811f66428f8 (diff) | |
| download | illumos-joyent-ab9b2e153c3a9a2b1141fefa87925b1a9beb1236.tar.gz | |
6573019 mit 1.4 sub-glue layer resync
--HG--
rename : usr/src/lib/gss_mechs/mech_krb5/mech/k5mech.c => deleted_files/usr/src/lib/gss_mechs/mech_krb5/mech/k5mech.c
Diffstat (limited to 'usr/src/lib')
53 files changed, 4454 insertions, 1942 deletions
diff --git a/usr/src/lib/gss_mechs/mech_krb5/Makefile b/usr/src/lib/gss_mechs/mech_krb5/Makefile index c004c604a6..bd2a930136 100644 --- a/usr/src/lib/gss_mechs/mech_krb5/Makefile +++ b/usr/src/lib/gss_mechs/mech_krb5/Makefile @@ -19,7 +19,7 @@ # CDDL HEADER END # # -# Copyright 2006 Sun Microsystems, Inc. All rights reserved. +# Copyright 2007 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # # ident "%Z%%M% %I% %E% SMI" @@ -99,7 +99,7 @@ EXPORT_SRC: $(RM) Makefile+ Makefile.mech_krb5+\ crypto/des/afsstring2key.c+ \ crypto/des/string2key.c+ \ - mech/k5mech.c+ + mech/krb5_gss_glue.c+ $(SED) -e "/EXPORT DELETE START/,/EXPORT DELETE END/d" \ < crypto/des/afsstring2key.c > crypto/des/afsstring2key.c+ @@ -110,8 +110,8 @@ EXPORT_SRC: $(MV) crypto/des/string2key.c+ crypto/des/string2key.c $(SED) -e "/EXPORT DELETE START/,/EXPORT DELETE END/d" \ - < mech/k5mech.c > mech/k5mech.c+ - $(MV) mech/k5mech.c+ mech/k5mech.c + < mech/krb5_gss_glue.c > mech/krb5_gss_glue.c+ + $(MV) mech/krb5_gss_glue.c+ mech/krb5_gss_glue.c $(SED) -e "/^# EXPORT DELETE START/,/^# EXPORT DELETE END/d" \ < Makefile.mech_krb5 > Makefile.mech_krb5+ @@ -124,18 +124,18 @@ EXPORT_SRC: $(CHMOD) 444 Makefile Makefile.mech_krb5 \ crypto/des/afsstring2key.c \ crypto/des/string2key.c \ - mech/k5mech.c + mech/krb5_gss_glue.c # CRYPT DELETE START # Special target to clean up the source tree for domestic distribution # Warning: This target changes the source tree CRYPT_SRC: - $(RM) Makefile+ mech/k5mech.c+ + $(RM) Makefile+ mech/krb5_gss_glue.c+ $(SED) -e "/CRYPT DELETE START/,/CRYPT DELETE END/d" \ - > mech/k5mech.c+ < mech/k5mech.c - $(MV) mech/k5mech.c+ mech/k5mech.c + > mech/krb5_gss_glue.c+ < mech/krb5_gss_glue.c + $(MV) mech/krb5_gss_glue.c+ mech/krb5_gss_glue.c $(SED) -e "/^# CRYPT DELETE START/,/^# CRYPT DELETE END/d" \ < Makefile \ @@ -143,7 +143,7 @@ CRYPT_SRC: > Makefile+ $(MV) Makefile+ Makefile - $(CHMOD) 444 mech/k5mech.c Makefile + $(CHMOD) 444 mech/krb5_gss_glue.c Makefile # CRYPT DELETE END # EXPORT DELETE END diff --git a/usr/src/lib/gss_mechs/mech_krb5/Makefile.com b/usr/src/lib/gss_mechs/mech_krb5/Makefile.com index 4ab83f447e..4ea78d42c4 100644 --- a/usr/src/lib/gss_mechs/mech_krb5/Makefile.com +++ b/usr/src/lib/gss_mechs/mech_krb5/Makefile.com @@ -169,13 +169,14 @@ MECH= accept_sec_context.o store_cred.o \ disp_name.o disp_status.o export_sec_context.o \ get_tkt_flags.o import_name.o indicate_mechs.o \ inq_context.o inq_cred.o inq_names.o \ - k5mech.o \ + krb5_gss_glue.o \ pname_to_uid.o process_context_token.o \ rel_buffer.o rel_oid.o rel_oid_set.o \ rel_cred.o rel_name.o util_buffer.o \ util_dup.o util_localhost.o \ util_cksum.o acquire_cred.o init_sec_context.o \ - util_ctxsetup.o set_ccache.o acquire_cred_with_pw.o + set_ccache.o acquire_cred_with_pw.o lucid_context.o \ + set_allowable_enctypes.o oid_ops.o export_name.o gss_libinit.o MECH_UTS= delete_sec_context.o gssapi_krb5.o \ import_sec_context.o k5seal.o k5sealv3.o \ @@ -185,13 +186,15 @@ MECH_UTS= delete_sec_context.o gssapi_krb5.o \ util_set.o util_token.o util_validate.o \ val_cred.o verify.o wrap_size_limit.o +GSSAPI_UTS= gen_oids.o + PROFILE_OBJS= prof_tree.o prof_file.o prof_parse.o prof_init.o \ prof_set.o prof_get.o -SUPPORT_OBJS= fake-addrinfo.o threads.o errors.o plugins.o +SUPPORT_OBJS= fake-addrinfo.o threads.o errors.o plugins.o OBJECTS= \ - $(MECH) $(MECH_UTS) \ + $(MECH) $(MECH_UTS) $(GSSAPI_UTS)\ $(SUPPORT_OBJS) \ $(PROFILE_OBJS) \ $(CRYPTO) $(CRYPTO_UTS) \ @@ -230,6 +233,7 @@ INS.liblink2= -$(RM) $@; $(SYMLINK) gss/$(LIBLINKPATH)$(LIBLINKS) $@ CPPFLAGS += -I$(REL_PATH)/libgss -I../include \ -I$(SRC)/uts/common/gssapi \ -I$(SRC)/uts/common/gssapi/include \ + -I$(SRC)/lib/gss_mechs/mech_krb5/mech \ -I$(SRC)/lib/gss_mechs/mech_krb5/include/krb5 \ -I../include/krb5 \ -I../krb5/keytab \ @@ -302,6 +306,10 @@ DYNFLAGS += $(ZIGNORE) # mech lib needs special initialization at load time DYNFLAGS += -zinitarray=krb5_ld_init +objs/%.o pics/%.o: $(SRC)/uts/common/gssapi/%.c + $(COMPILE.c) -o $@ $< + $(POST_PROCESS_O) + objs/%.o pics/%.o: $(SRC)/uts/common/gssapi/mechs/krb5/mech/%.c $(COMPILE.c) -o $@ $< $(POST_PROCESS_O) @@ -481,8 +489,7 @@ OS_FLAGS = -DHAVE_LIBSOCKET -DHAVE_LIBNSL -DTIME_WITH_SYS_TIME \ -DHAVE_ERRNO -DHAVE_STRFTIME -DHAVE_STRPTIME -DHAVE_STRERROR \ -DHAVE_STAT -DSIZEOF_INT=4 -DPROVIDE_KERNEL_IMPORT \ -DHAVE_STDINT_H -DPOSIX_SIGNALS -DHAVE_GETENV -DHAVE_SETENV \ - -DHAVE_UNSETENV -DHAVE_FCHMOD -DHAVE_STRUCT_LIFCONF \ - -DHAVE_ACCESS + -DHAVE_UNSETENV -DHAVE_FCHMOD -DHAVE_STRUCT_LIFCONF CPPFLAGS += -I$(REL_PATH)krb5/ccache/file $(OS_FLAGS) @@ -522,6 +529,7 @@ SOURCES= \ $(K5_RCACHE:%.o= $(SRC)/lib/gss_mechs/mech_krb5/krb5/rcache/%.c) \ $(MECH:%.o= $(SRC)/lib/gss_mechs/mech_krb5/mech/%.c) \ $(MECH_UTS:%.o= $(SRC)/uts/common/gssapi/mechs/krb5/mech/%.c) \ + $(GSSAPI_UTS:%.o= $(SRC)/uts/common/gssapi/%.c) \ $(PROFILE_OBJS:%.o= $(SRC)/lib/gss_mechs/mech_krb5/profile/%.c) \ $(SUPPORT_OBJS:%.o= $(SRC)/lib/gss_mechs/mech_krb5/support/%.c) diff --git a/usr/src/lib/gss_mechs/mech_krb5/crypto/old_api_glue.c b/usr/src/lib/gss_mechs/mech_krb5/crypto/old_api_glue.c index aaa411544f..8b24096389 100644 --- a/usr/src/lib/gss_mechs/mech_krb5/crypto/old_api_glue.c +++ b/usr/src/lib/gss_mechs/mech_krb5/crypto/old_api_glue.c @@ -1,5 +1,5 @@ /* - * Copyright 2006 Sun Microsystems, Inc. All rights reserved. + * Copyright 2007 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -66,3 +66,14 @@ krb5_checksum_size(krb5_context context, krb5_cksumtype ctype) return(ret); } + +size_t KRB5_CALLCONV +krb5_encrypt_size(size_t length, krb5_enctype crypto) +{ + size_t ret; + + if (krb5_c_encrypt_length(/* XXX */ 0, crypto, length, &ret)) + return(-1); /* XXX */ + + return(ret); +} diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/file/ktfile.h b/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/file/ktfile.h index 7c2b55e3c8..918aafd8a1 100644 --- a/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/file/ktfile.h +++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/file/ktfile.h @@ -1,5 +1,5 @@ /* - * Copyright 2005 Sun Microsystems, Inc. All rights reserved. + * Copyright 2007 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. * * lib/krb5/keytab/file/ktfile.h @@ -79,103 +79,103 @@ extern struct _krb5_kt_ops krb5_ktf_ops; extern struct _krb5_kt_ops krb5_ktf_writable_ops; krb5_error_code KRB5_CALLCONV krb5_ktfile_resolve - PROTOTYPE((krb5_context, + (krb5_context, const char *, - krb5_keytab *)); + krb5_keytab *); krb5_error_code KRB5_CALLCONV krb5_ktfile_wresolve - PROTOTYPE((krb5_context, + (krb5_context, const char *, - krb5_keytab *)); + krb5_keytab *); krb5_error_code KRB5_CALLCONV krb5_ktfile_get_name - PROTOTYPE((krb5_context, + (krb5_context, krb5_keytab, char *, - int)); + int); krb5_error_code KRB5_CALLCONV krb5_ktfile_close - PROTOTYPE((krb5_context, - krb5_keytab)); + (krb5_context, + krb5_keytab); krb5_error_code KRB5_CALLCONV krb5_ktfile_get_entry - PROTOTYPE((krb5_context, + (krb5_context, krb5_keytab, krb5_const_principal, krb5_kvno, krb5_enctype, - krb5_keytab_entry *)); + krb5_keytab_entry *); krb5_error_code KRB5_CALLCONV krb5_ktfile_start_seq_get - PROTOTYPE((krb5_context, + (krb5_context, krb5_keytab, - krb5_kt_cursor *)); + krb5_kt_cursor *); krb5_error_code KRB5_CALLCONV krb5_ktfile_get_next - PROTOTYPE((krb5_context, + (krb5_context, krb5_keytab, krb5_keytab_entry *, - krb5_kt_cursor *)); + krb5_kt_cursor *); krb5_error_code KRB5_CALLCONV krb5_ktfile_end_get - PROTOTYPE((krb5_context, + (krb5_context, krb5_keytab, - krb5_kt_cursor *)); + krb5_kt_cursor *); /* routines to be included on extended version (write routines) */ krb5_error_code KRB5_CALLCONV krb5_ktfile_add - PROTOTYPE((krb5_context, + (krb5_context, krb5_keytab, - krb5_keytab_entry *)); + krb5_keytab_entry *); krb5_error_code KRB5_CALLCONV krb5_ktfile_remove - PROTOTYPE((krb5_context, + (krb5_context, krb5_keytab, - krb5_keytab_entry *)); + krb5_keytab_entry *); krb5_error_code krb5_ktfileint_openr - PROTOTYPE((krb5_context, - krb5_keytab)); + (krb5_context, + krb5_keytab); krb5_error_code krb5_ktfileint_openw - PROTOTYPE((krb5_context, - krb5_keytab)); + (krb5_context, + krb5_keytab); krb5_error_code krb5_ktfileint_close - PROTOTYPE((krb5_context, - krb5_keytab)); + (krb5_context, + krb5_keytab); krb5_error_code krb5_ktfileint_read_entry - PROTOTYPE((krb5_context, + (krb5_context, krb5_keytab, - krb5_keytab_entry *)); + krb5_keytab_entry *); krb5_error_code krb5_ktfileint_write_entry - PROTOTYPE((krb5_context, + (krb5_context, krb5_keytab, - krb5_keytab_entry *)); + krb5_keytab_entry *); krb5_error_code krb5_ktfileint_delete_entry - PROTOTYPE((krb5_context, + (krb5_context, krb5_keytab, - krb5_int32)); + krb5_int32); krb5_error_code krb5_ktfileint_internal_read_entry - PROTOTYPE((krb5_context, + (krb5_context, krb5_keytab, krb5_keytab_entry *, - krb5_int32 *)); + krb5_int32 *); krb5_error_code krb5_ktfileint_size_entry - PROTOTYPE((krb5_context, + (krb5_context, krb5_keytab_entry *, - krb5_int32 *)); + krb5_int32 *); krb5_error_code krb5_ktfileint_find_slot - PROTOTYPE((krb5_context, + (krb5_context, krb5_keytab, krb5_int32 *, - krb5_int32 *)); + krb5_int32 *); #endif /* _KRB5_KTFILE */ diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/os/an_to_ln.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/os/an_to_ln.c index 51aeb7d0db..6296380170 100644 --- a/usr/src/lib/gss_mechs/mech_krb5/krb5/os/an_to_ln.c +++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/os/an_to_ln.c @@ -1,5 +1,5 @@ /* - * Copyright 2005 Sun Microsystems, Inc. All rights reserved. + * Copyright 2007 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -721,14 +721,18 @@ default_an_to_ln(krb5_context context, krb5_const_principal aname, if (strncmp(krb5_princ_component(context, aname, 1)->data, def_realm, realm_length) || realm_length != - krb5_princ_component(context, aname, 1)->length) + krb5_princ_component(context, aname, 1)->length) { /* XXX an_to_ln_realm_chk ? */ + free(def_realm); return KRB5_LNAME_NOTRANS; + } } - else + else { /* no components or more than one component to non-realm part of name --no translation. */ + free(def_realm); return KRB5_LNAME_NOTRANS; + } } free(def_realm); diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/os/kuserok.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/os/kuserok.c index cde2b285ba..f98ff26ca1 100644 --- a/usr/src/lib/gss_mechs/mech_krb5/krb5/os/kuserok.c +++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/os/kuserok.c @@ -1,5 +1,5 @@ /* - * Copyright 2006 Sun Microsystems, Inc. All rights reserved. + * Copyright 2007 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -359,12 +359,14 @@ krb5_kuserok(krb5_context context, krb5_principal principal, const char *luser) } OM_uint32 -krb5_gss_userok(void *ctxt, - OM_uint32 *minor, +krb5_gss_userok(OM_uint32 *minor, const gss_name_t pname, const char *user, int *user_ok) { + krb5_context ctxt; + OM_uint32 kret; + if (pname == NULL || user == NULL) return (GSS_S_CALL_INACCESSIBLE_READ); @@ -373,13 +375,22 @@ krb5_gss_userok(void *ctxt, *user_ok = 0; + kret = krb5_gss_init_context(&ctxt); + if (kret) { + *minor = kret; + return (GSS_S_FAILURE); + } + if (! kg_validate_name(pname)) { - *minor = (OM_uint32) G_VALIDATE_FAILED; - return (GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME); + *minor = (OM_uint32) G_VALIDATE_FAILED; + krb5_free_context(ctxt); + return (GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME); } if (krb5_kuserok(ctxt, (krb5_principal) pname, user)) { *user_ok = 1; } + + krb5_free_context(ctxt); return (GSS_S_COMPLETE); } diff --git a/usr/src/lib/gss_mechs/mech_krb5/mapfile-vers b/usr/src/lib/gss_mechs/mech_krb5/mapfile-vers index 423888c540..8ac4b8db49 100644 --- a/usr/src/lib/gss_mechs/mech_krb5/mapfile-vers +++ b/usr/src/lib/gss_mechs/mech_krb5/mapfile-vers @@ -212,7 +212,6 @@ SUNWprivate_1.1 { decode_krb5_tgs_rep; decode_krb5_tgs_req; decode_krb5_ticket; - display_unknown; encode_krb5_alt_method; encode_krb5_ap_rep; encode_krb5_ap_rep_enc_part; @@ -247,47 +246,16 @@ SUNWprivate_1.1 { encode_krb5_tgs_req; encode_krb5_ticket; error_message; - g_delete_cred_id; - g_delete_ctx_id; - g_delete_name; - g_display_com_err_status; - g_display_major_status; - g_local_host_name; - g_make_string_buffer; - g_make_token_header; - g_order_check; - g_order_free; - g_order_init; - g_queue_externalize; - g_queue_internalize; - g_queue_size; - g_save_cred_id; - g_save_ctx_id; - g_save_name; - g_set_destroy; - g_set_entry_add; - g_set_entry_delete; - g_set_entry_get; - g_set_init; - g_strdup; - g_token_size; - g_validate_cred_id; - g_validate_ctx_id; - g_validate_name; - g_verify_token_header; ggss_error_table; gmt_mktime; + gss_krb5int_get_tkt_flags; gss_krb5_ccache_name; gss_krb5_copy_ccache; - gss_krb5_get_tkt_flags; gss_mech_krb5; gss_mech_krb5_old; - gss_mech_krb5_v2; gss_mech_set_krb5; gss_mech_set_krb5_both; gss_mech_set_krb5_old; - gss_mech_set_krb5_v1v2; - gss_mech_set_krb5_v2; gss_nt_krb5_name; gss_nt_krb5_principal; gssspi_acquire_cred_with_password; @@ -298,25 +266,18 @@ SUNWprivate_1.1 { kadm_error_table; kdb5_error_table; kdc5_error_table; - kg2_parse_token; - kg_checksum_channel_bindings; kg_confounder_size; - kg_context; kg_ctx_externalize; kg_ctx_internalize; kg_ctx_size; kg_decrypt; kg_encrypt; kg_encrypt_size; - kg_get_context; kg_get_defcred; kg_get_seq_num; kg_make_confounder; kg_make_seed; kg_make_seq_num; - kg_oid_size; - kg_queue_size; - kg_release_defcred; kg_seal; kg_unseal; kg_vdb; @@ -551,7 +512,6 @@ SUNWprivate_1.1 { krb5_get_validated_creds; krb5_getenv; krb5_gss_import_name; - krb5_gss_init_sec_context; krb5_gss_oid_array; krb5_gss_userok; krb5_hmac; @@ -619,7 +579,6 @@ SUNWprivate_1.1 { krb5_mk_req; krb5_mk_req_extended; krb5_mk_safe; - krb5_mutex; krb5_net_read; krb5_net_write; krb5_nfold; diff --git a/usr/src/lib/gss_mechs/mech_krb5/mech/accept_sec_context.c b/usr/src/lib/gss_mechs/mech_krb5/mech/accept_sec_context.c index 0285fb9e13..ffb57ceb52 100644 --- a/usr/src/lib/gss_mechs/mech_krb5/mech/accept_sec_context.c +++ b/usr/src/lib/gss_mechs/mech_krb5/mech/accept_sec_context.c @@ -6,7 +6,7 @@ #pragma ident "%Z%%M% %I% %E% SMI" /* - * Copyright 2000 by the Massachusetts Institute of Technology. + * Copyright 2000, 2004 by the Massachusetts Institute of Technology. * All Rights Reserved. * * Export of this software from the United States of America may @@ -80,20 +80,21 @@ #include <k5-int.h> #include <auth_con.h> #include <gssapiP_krb5.h> +#ifdef HAVE_MEMORY_H #include <memory.h> +#endif #include <assert.h> -#define CACHENAME_LEN 35 /* Solaris kerberos: XXX kludgy but there is no include file for the * krb5_fcc_ops extern declaration. */ extern krb5_cc_ops krb5_fcc_ops; +#ifdef CFX_EXERCISE +#define CFX_ACCEPTOR_SUBKEY (time(0) & 1) +#else #define CFX_ACCEPTOR_SUBKEY 1 - -/* - * $Id: accept_sec_context.c,v 1.51.2.3 2000/06/08 00:25:48 tlyu Exp $ - */ +#endif /* * Decode, decrypt and store the forwarded creds in the local ccache. @@ -109,6 +110,7 @@ rd_and_store_for_creds(context, auth_context, inbuf, out_cred) { krb5_creds ** creds; krb5_error_code retval; + krb5_ccache template_ccache = NULL; krb5_ccache ccache = NULL; krb5_gss_cred_id_t cred = NULL; krb5_auth_context new_auth_ctx = NULL; @@ -177,13 +179,15 @@ rd_and_store_for_creds(context, auth_context, inbuf, out_cred) /* Lots of kludging going on here... Some day the ccache interface will be rewritten though */ - retval = krb5_cc_resolve(context, "MEMORY:GSSAPI", &ccache); + retval = krb5_cc_resolve(context, "MEMORY:GSSAPI", &template_ccache); if (retval) { KRB5_LOG(KRB5_ERR, "rd_and_store_for_creds() error " "krb5_cc_resolve() retval = %d\n", retval); goto cleanup; } + ccache = template_ccache; /* krb5_cc_gen_new will replace so make a copy */ + retval = krb5_cc_gen_new(context, &ccache); if (retval) { KRB5_LOG(KRB5_ERR, "rd_and_store_for_creds() error " @@ -218,11 +222,19 @@ rd_and_store_for_creds(context, auth_context, inbuf, out_cred) /* zero it out... */ (void) memset(cred, 0, sizeof(krb5_gss_cred_id_rec)); + retval = k5_mutex_init(&cred->lock); + if (retval) { + xfree(cred); + cred = NULL; + goto cleanup; + } + /* copy the client principle into it... */ if ((retval = krb5_copy_principal(context, creds[0]->client, &(cred->princ)))) { KRB5_LOG(KRB5_ERR, "rd_and_store_for_creds() error " "krb5_copy_principal() retval = %d\n", retval); + k5_mutex_destroy(&cred->lock); retval = ENOMEM; /* out of memory? */ xfree(cred); /* clean up memory on failure */ *out_cred = cred = NULL; @@ -231,15 +243,13 @@ rd_and_store_for_creds(context, auth_context, inbuf, out_cred) cred->usage = GSS_C_INITIATE; /* we can't accept with this */ /* cred->princ already set */ - cred->actual_mechs = gss_mech_set_krb5_both; cred->prerfc_mech = 1; /* this cred will work with all three mechs */ cred->rfc_mech = 1; cred->keytab = NULL; /* no keytab associated with this... */ - cred->ccache = ccache; /* but there is a credential cache */ /* The cred expires when the original cred was set to expire */ cred->tgt_expire = creds[0]->times.endtime; - - *out_cred = cred; + cred->ccache = ccache; /* the ccache containing the credential */ + ccache = NULL; /* cred takes ownership so don't destroy */ } /* If there were errors, there might have been a memory leak @@ -248,10 +258,19 @@ rd_and_store_for_creds(context, auth_context, inbuf, out_cred) goto cleanup; */ cleanup: - krb5_free_tgt_creds(context, creds); + if (creds) + krb5_free_tgt_creds(context, creds); + + if (ccache) + (void)krb5_cc_destroy(context, ccache); - if (!cred && ccache) - (void)krb5_cc_close(context, ccache); + /* + * SUNW15resync + * Added this cc_destroy for template_cache, w/out it causes memory + * leak via "ssh -o gssapidelegatecredentials=yes ..." + */ + if (template_ccache) + (void)krb5_cc_destroy(context, template_ccache); if (out_cred) *out_cred = cred; /* return credential */ @@ -265,13 +284,17 @@ cleanup: return retval; } +/* + * SUNW15resync + * Most of the logic here left "as is" because of lots of fixes MIT + * does not have yet + */ OM_uint32 -krb5_gss_accept_sec_context(ct, minor_status, context_handle, +krb5_gss_accept_sec_context(minor_status, context_handle, verifier_cred_handle, input_token, input_chan_bindings, src_name, mech_type, output_token, ret_flags, time_rec, delegated_cred_handle) - void *ct; OM_uint32 *minor_status; gss_ctx_id_t *context_handle; gss_cred_id_t verifier_cred_handle; @@ -284,7 +307,7 @@ krb5_gss_accept_sec_context(ct, minor_status, context_handle, OM_uint32 *time_rec; gss_cred_id_t *delegated_cred_handle; { - krb5_context context = ct; + krb5_context context; unsigned char *ptr, *ptr2; char *sptr; long tmp; @@ -314,17 +337,22 @@ krb5_gss_accept_sec_context(ct, minor_status, context_handle, gss_cred_id_t cred_handle = NULL; krb5_gss_cred_id_t deleg_cred = NULL; OM_uint32 saved_ap_options = 0; + krb5int_access kaccess; + int cred_rcache = 0; KRB5_LOG0(KRB5_INFO,"krb5_gss_accept_sec_context() start"); - mutex_lock(&krb5_mutex); + code = krb5int_accessor (&kaccess, KRB5INT_ACCESS_VERSION); + if (code) { + *minor_status = code; + return(GSS_S_FAILURE); + } - /* Solaris Kerberos: for MT safety, we avoid the use of a default - * context via kg_get_context() */ -#if 0 - if (GSS_ERROR(kg_get_context(minor_status, &context))) - return(GSS_S_FAILURE); -#endif + code = krb5_gss_init_context(&context); + if (code) { + *minor_status = code; + return GSS_S_FAILURE; + } /* set up returns to be freeable */ @@ -363,7 +391,7 @@ krb5_gss_accept_sec_context(ct, minor_status, context_handle, major_status = GSS_S_NO_CONTEXT; KRB5_LOG0(KRB5_ERR,"krb5_gss_accept_sec_context() " "error GSS_S_NO_CONTEXT"); - goto unlock; + goto cleanup; } /* verify the token's integrity, and leave the token in ap_req. @@ -371,13 +399,13 @@ krb5_gss_accept_sec_context(ct, minor_status, context_handle, ptr = (unsigned char *) input_token->value; - if (!(code = g_verify_token_header((gss_OID) gss_mech_krb5, + if (!(code = g_verify_token_header(gss_mech_krb5, (uint32_t *)&(ap_req.length), &ptr, KG_TOK_CTX_AP_REQ, input_token->length, 1))) { mech_used = gss_mech_krb5; } else if ((code == G_WRONG_MECH) && - !(code = g_verify_token_header((gss_OID) gss_mech_krb5_old, + !(code = g_verify_token_header(gss_mech_krb5_old, (uint32_t *)&(ap_req.length), &ptr, KG_TOK_CTX_AP_REQ, input_token->length, 1))) { @@ -446,7 +474,7 @@ krb5_gss_accept_sec_context(ct, minor_status, context_handle, major_status = GSS_S_FAILURE; goto fail; } - major_status = krb5_gss_acquire_cred_no_lock(context, (OM_uint32*) &code, + major_status = krb5_gss_acquire_cred((OM_uint32*) &code, (gss_name_t) princ, GSS_C_INDEFINITE, GSS_C_NO_OID_SET, GSS_C_ACCEPT, &cred_handle, @@ -470,7 +498,7 @@ krb5_gss_accept_sec_context(ct, minor_status, context_handle, cred_handle = verifier_cred_handle; } - major_status = krb5_gss_validate_cred_no_lock(context, (OM_uint32*) &code, + major_status = krb5_gss_validate_cred((OM_uint32*) &code, cred_handle); if (GSS_ERROR(major_status)){ @@ -527,12 +555,14 @@ krb5_gss_accept_sec_context(ct, minor_status, context_handle, (void) krb5_auth_con_setflags(context, auth_context, KRB5_AUTH_CONTEXT_DO_SEQUENCE); - if (cred->rcache && - (code = krb5_auth_con_setrcache(context, auth_context, cred->rcache))) { - major_status = GSS_S_FAILURE; - KRB5_LOG(KRB5_ERR, "krb5_gss_accept_sec_context() " - "krb5_auth_con_setrcache() error code %d", code); - goto fail; + if (cred->rcache) { + cred_rcache = 1; + if ((code = krb5_auth_con_setrcache(context, auth_context, cred->rcache))) { + major_status = GSS_S_FAILURE; + KRB5_LOG(KRB5_ERR, "krb5_gss_accept_sec_context() " + "krb5_auth_con_setrcache() error code %d", code); + goto fail; + } } if ((code = krb5_auth_con_setaddrs(context, auth_context, NULL, paddr))) { major_status = GSS_S_FAILURE; @@ -731,24 +761,7 @@ krb5_gss_accept_sec_context(ct, minor_status, context_handle, memset(ctx, 0, sizeof(krb5_gss_ctx_id_rec)); - /* Solaris Kerberos: we allocate the memory for mech_used here - * because we store mech_used as a gss_OID and not a (gss_OID *) - */ -#if 0 - ctx->mech_used = mech_used; -#else - /* begin Solaris Kerberos solution */ - ctx->mech_used.elements = (void *)malloc(mech_used->length); - if ( (ctx->mech_used.elements) == NULL ) - { - code = ENOMEM; - major_status = GSS_S_FAILURE; - goto fail; - } - ctx->mech_used.length = mech_used->length; - memcpy(ctx->mech_used.elements, mech_used->elements, mech_used->length); -#endif - + ctx->mech_used = (gss_OID) mech_used; ctx->auth_context = auth_context; ctx->initiate = 0; ctx->gss_flags = (GSS_C_TRANS_FLAG | @@ -757,6 +770,7 @@ krb5_gss_accept_sec_context(ct, minor_status, context_handle, GSS_C_SEQUENCE_FLAG | GSS_C_DELEG_FLAG))); ctx->seed_init = 0; ctx->big_endian = bigend; + ctx->cred_rcache = cred_rcache; /* Intern the ctx pointer so that delete_sec_context works */ if (! kg_save_ctx_id((gss_ctx_id_t) ctx)) { @@ -970,7 +984,7 @@ krb5_gss_accept_sec_context(ct, minor_status, context_handle, /* the reply token hasn't been sent yet, but that's ok. */ ctx->gss_flags |= GSS_C_PROT_READY_FLAG; ctx->established = 1; - token.length = g_token_size((gss_OID) mech_used, ap_rep.length); + token.length = g_token_size(mech_used, ap_rep.length); if ((token.value = (unsigned char *) xmalloc(token.length)) == NULL) { @@ -979,7 +993,7 @@ krb5_gss_accept_sec_context(ct, minor_status, context_handle, goto fail; } ptr = token.value; - g_make_token_header((gss_OID) mech_used, ap_rep.length, + g_make_token_header(mech_used, ap_rep.length, &ptr, KG_TOK_CTX_AP_REP); TWRITE_STR(ptr, ap_rep.data, ap_rep.length); @@ -1040,9 +1054,12 @@ krb5_gss_accept_sec_context(ct, minor_status, context_handle, fail: if (authdat) krb5_free_authenticator(context, authdat); + /* The ctx structure has the handle of the auth_context */ if (auth_context && !ctx) { - (void)krb5_auth_con_setrcache(context, auth_context, NULL); - krb5_auth_con_free(context, auth_context); + if (cred_rcache) + (void)krb5_auth_con_setrcache(context, auth_context, NULL); + + krb5_auth_con_free(context, auth_context); } if (reqcksum.contents) xfree(reqcksum.contents); @@ -1055,13 +1072,21 @@ krb5_gss_accept_sec_context(ct, minor_status, context_handle, request = NULL; } - if (!GSS_ERROR(major_status)) - goto unlock; + if (!GSS_ERROR(major_status) && major_status != GSS_S_CONTINUE_NEEDED) { + if (!verifier_cred_handle && cred_handle) { + krb5_gss_release_cred(minor_status, &cred_handle); + } + + if (ctx) + ctx->k5_context = context; + + return(major_status); + } /* from here on is the real "fail" code */ if (ctx) - (void) krb5_gss_delete_sec_context_no_lock(context, minor_status, + (void) krb5_gss_delete_sec_context(minor_status, (gss_ctx_id_t *) &ctx, NULL); if (deleg_cred) { /* free memory associated with the deleg credential */ if (deleg_cred->ccache) @@ -1104,18 +1129,18 @@ krb5_gss_accept_sec_context(ct, minor_status, context_handle, code = krb5_mk_error(context, &krb_error_data, &scratch); if (code) - goto unlock; + goto cleanup; tmsglen = scratch.length; toktype = KG_TOK_CTX_ERROR; - token.length = g_token_size((gss_OID) mech_used, tmsglen); + token.length = g_token_size(mech_used, tmsglen); token.value = (unsigned char *) xmalloc(token.length); if (!token.value) - goto unlock; + goto cleanup; ptr = token.value; - g_make_token_header((gss_OID) mech_used, tmsglen, &ptr, toktype); + g_make_token_header(mech_used, tmsglen, &ptr, toktype); TWRITE_STR(ptr, scratch.data, scratch.length); xfree(scratch.data); @@ -1123,12 +1148,13 @@ krb5_gss_accept_sec_context(ct, minor_status, context_handle, *output_token = token; } -unlock: +cleanup: if (!verifier_cred_handle && cred_handle) { - krb5_gss_release_cred_no_lock(context, (OM_uint32*) &code, &cred_handle); + krb5_gss_release_cred(minor_status, &cred_handle); } - mutex_unlock(&krb5_mutex); + krb5_free_context(context); + KRB5_LOG(KRB5_ERR,"krb5_gss_accept_sec_context() end, " "major_status = %d", major_status); return (major_status); diff --git a/usr/src/lib/gss_mechs/mech_krb5/mech/acquire_cred.c b/usr/src/lib/gss_mechs/mech_krb5/mech/acquire_cred.c index d19b98e99b..a916cc2b0e 100644 --- a/usr/src/lib/gss_mechs/mech_krb5/mech/acquire_cred.c +++ b/usr/src/lib/gss_mechs/mech_krb5/mech/acquire_cred.c @@ -13,7 +13,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -27,12 +27,11 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * */ - /* * Copyright 1993 by OpenVision Technologies, Inc. - * + * * Permission to use, copy, modify, distribute, and sell this software * and its documentation for any purpose is hereby granted without fee, * provided that the above copyright notice appears in all copies and @@ -42,7 +41,7 @@ * without specific, written prior permission. OpenVision makes no * representations about the suitability of this software for any * purpose. It is provided "as is" without express or implied warranty. - * + * * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR @@ -54,14 +53,14 @@ /* * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -72,24 +71,70 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. */ -#include <gssapiP_krb5.h> -#include <k5-int.h> - +#include "k5-int.h" +#include "gss_libinit.h" +#include "gssapiP_krb5.h" +#include "mglueP.h" #ifdef HAVE_STRING_H #include <string.h> #else #include <strings.h> #endif -/* - * $Id: acquire_cred.c,v 1.25.6.2 2000/05/22 20:41:32 meeroh Exp $ - */ +/* SUNW15resync - Solaris kerberos does not need this feature in this file */ +#ifdef USE_LOGIN_LIBRARY +#undef USE_LOGIN_LIBRARY +#endif + +#if defined(USE_LOGIN_LIBRARY) +#include <Kerberos/KerberosLoginPrivate.h> +#elif defined(USE_LEASH) +static void (*pLeash_AcquireInitialTicketsIfNeeded)(krb5_context,krb5_principal,char*,int) = NULL; +static HANDLE hLeashDLL = INVALID_HANDLE_VALUE; +#endif + +k5_mutex_t gssint_krb5_keytab_lock = K5_MUTEX_PARTIAL_INITIALIZER; +static char *krb5_gss_keytab = NULL; + +/* Heimdal calls this gsskrb5_register_acceptor_identity. */ +OM_uint32 KRB5_CALLCONV +krb5_gss_register_acceptor_identity(const char *keytab) +{ + size_t len; + char *new, *old; + int err; + + err = gssint_initialize_library(); + if (err != 0) + return GSS_S_FAILURE; + + if (keytab == NULL) + return GSS_S_FAILURE; + + len = strlen(keytab); + new = malloc(len + 1); + if (new == NULL) + return GSS_S_FAILURE; + strcpy(new, keytab); + + err = k5_mutex_lock(&gssint_krb5_keytab_lock); + if (err) { + free(new); + return GSS_S_FAILURE; + } + old = krb5_gss_keytab; + krb5_gss_keytab = new; + k5_mutex_unlock(&gssint_krb5_keytab_lock); + if (old != NULL) + free(old); + return GSS_S_COMPLETE; +} /* get credentials corresponding to a key in the krb5 keytab. If the default name is requested, return the name in output_princ. @@ -98,7 +143,7 @@ If successful, set the keytab-specific fields in cred */ -static OM_uint32 +static OM_uint32 acquire_accept_cred(context, minor_status, desired_name, output_princ, cred) krb5_context context; OM_uint32 *minor_status; @@ -116,9 +161,27 @@ acquire_accept_cred(context, minor_status, desired_name, output_princ, cred) /* open the default keytab */ - if ((code = krb5_kt_default(context, &kt))) { + code = gssint_initialize_library(); + if (code != 0) { + *minor_status = code; + return GSS_S_FAILURE; + } + code = k5_mutex_lock(&gssint_krb5_keytab_lock); + if (code) { + *minor_status = code; + return GSS_S_FAILURE; + } + if (krb5_gss_keytab != NULL) { + code = krb5_kt_resolve(context, krb5_gss_keytab, &kt); + k5_mutex_unlock(&gssint_krb5_keytab_lock); + } else { + k5_mutex_unlock(&gssint_krb5_keytab_lock); + code = krb5_kt_default(context, &kt); + } + + if (code) { *minor_status = code; - /* NOTE: GSS_S_CRED_UNAVAIL is not RFC 2743 compliant */ + /* Solaris Kerb NOTE: GSS_S_CRED_UNAVAIL is not RFC 2743 compliant */ return(GSS_S_NO_CRED); } @@ -130,7 +193,7 @@ acquire_accept_cred(context, minor_status, desired_name, output_princ, cred) *minor_status = KG_KEYTAB_NOMATCH; else *minor_status = code; - /* NOTE: GSS_S_CRED_UNAVAIL is not RFC 2743 compliant */ + /* Solaris Kerb NOTE: GSS_S_CRED_UNAVAIL is not RFC 2743 compliant */ return(GSS_S_NO_CRED); } krb5_kt_free_entry(context, &entry); @@ -145,7 +208,7 @@ acquire_accept_cred(context, minor_status, desired_name, output_princ, cred) } - /* hooray. we made it */ +/* hooray. we made it */ cred->keytab = kt; @@ -159,7 +222,7 @@ acquire_accept_cred(context, minor_status, desired_name, output_princ, cred) If successful, set the ccache-specific fields in cred. */ -static OM_uint32 +static OM_uint32 acquire_init_cred(context, minor_status, desired_name, output_princ, cred) krb5_context context; OM_uint32 *minor_status; @@ -177,19 +240,77 @@ acquire_init_cred(context, minor_status, desired_name, output_princ, cred) cred->ccache = NULL; - /* SUNW14resync - do we need this? */ -#if 0 /* load the GSS ccache name into the kg_context */ + if (GSS_ERROR(kg_sync_ccache_name(context, minor_status))) return(GSS_S_FAILURE); -#endif - - /* open the default credential cache */ - code = krb5int_cc_default(context, &ccache); - if (code) { - *minor_status = code; - return(GSS_S_NO_CRED); +#if defined(USE_LOGIN_LIBRARY) || defined(USE_LEASH) + if (desired_name != NULL) { +#if defined(USE_LOGIN_LIBRARY) + char *ccache_name = NULL; + KLPrincipal kl_desired_princ = NULL; + + if ((code = __KLCreatePrincipalFromKerberos5Principal ((krb5_principal) desired_name, + &kl_desired_princ))) { + *minor_status = code; + return(GSS_S_NO_CRED); + } + + if ((code = KLAcquireInitialTickets (kl_desired_princ, NULL, NULL, &ccache_name))) { + KLDisposePrincipal (kl_desired_princ); + *minor_status = code; + return(GSS_S_NO_CRED); + } + + if ((code = krb5_cc_resolve (context, ccache_name, &ccache))) { + KLDisposeString (ccache_name); + KLDisposePrincipal (kl_desired_princ); + *minor_status = code; + return(GSS_S_NO_CRED); + } + + if (kl_desired_princ != NULL) { KLDisposePrincipal (kl_desired_princ); } + if (ccache_name != NULL) { KLDisposeString (ccache_name); } +#elif defined(USE_LEASH) + if ( hLeashDLL == INVALID_HANDLE_VALUE ) { + hLeashDLL = LoadLibrary("leashw32.dll"); + if ( hLeashDLL != INVALID_HANDLE_VALUE ) { + (FARPROC) pLeash_AcquireInitialTicketsIfNeeded = + GetProcAddress(hLeashDLL, "not_an_API_Leash_AcquireInitialTicketsIfNeeded"); + } + } + + if ( pLeash_AcquireInitialTicketsIfNeeded ) { + char ccname[256]=""; + pLeash_AcquireInitialTicketsIfNeeded(context, (krb5_principal) desired_name, ccname, sizeof(ccname)); + if (!ccname[0]) { + *minor_status = KRB5_CC_NOTFOUND; + return(GSS_S_NO_CRED); + } + + if ((code = krb5_cc_resolve (context, ccname, &ccache))) { + *minor_status = code; + return(GSS_S_NO_CRED); + } + } else { + /* leash dll not available, open the default credential cache */ + + if ((code = krb5int_cc_default(context, &ccache))) { + *minor_status = code; + return(GSS_S_NO_CRED); + } + } +#endif /* USE_LEASH */ + } else +#endif /* USE_LOGIN_LIBRARY || USE_LEASH */ + { + /* open the default credential cache */ + + if ((code = krb5int_cc_default(context, &ccache))) { + *minor_status = code; + return(GSS_S_NO_CRED); + } } /* turn off OPENCLOSE mode while extensive frobbing is going on */ @@ -200,7 +321,7 @@ acquire_init_cred(context, minor_status, desired_name, output_princ, cred) * the file like it used to and caused STC test gss.27 to fail. */ flags = 0; /* turns off OPENCLOSE mode */ - if ((code = krb5_cc_set_flags(context, ccache, flags)) != 0) { + if ((code = krb5_cc_set_flags(context, ccache, flags))) { (void)krb5_cc_close(context, ccache); *minor_status = code; return(GSS_S_NO_CRED); @@ -208,7 +329,7 @@ acquire_init_cred(context, minor_status, desired_name, output_princ, cred) /* get out the principal name and see if it matches */ - if ((code = krb5_cc_get_principal(context, ccache, &princ)) != 0) { + if ((code = krb5_cc_get_principal(context, ccache, &princ))) { (void)krb5_cc_set_flags(context, ccache, KRB5_TC_OPENCLOSE); (void)krb5_cc_close(context, ccache); *minor_status = code; @@ -218,7 +339,7 @@ acquire_init_cred(context, minor_status, desired_name, output_princ, cred) if (desired_name != (gss_name_t) NULL) { if (! krb5_principal_compare(context, princ, (krb5_principal) desired_name)) { (void)krb5_free_principal(context, princ); - (void)krb5_cc_set_flags(context, ccache, KRB5_TC_OPENCLOSE); + (void)krb5_cc_set_flags(context, ccache, KRB5_TC_OPENCLOSE); (void)krb5_cc_close(context, ccache); *minor_status = KG_CCACHE_NOMATCH; return(GSS_S_NO_CRED); @@ -231,7 +352,7 @@ acquire_init_cred(context, minor_status, desired_name, output_princ, cred) /* iterate over the ccache, find the tgt */ - if ((code = krb5_cc_start_seq_get(context, ccache, &cur)) != 0) { + if ((code = krb5_cc_start_seq_get(context, ccache, &cur))) { (void)krb5_cc_set_flags(context, ccache, KRB5_TC_OPENCLOSE); (void)krb5_cc_close(context, ccache); *minor_status = code; @@ -257,7 +378,7 @@ acquire_init_cred(context, minor_status, desired_name, output_princ, cred) *minor_status = code; return(GSS_S_FAILURE); } - while ((code = krb5_cc_next_cred(context, ccache, &cur, &creds)) == 0) { + while (!(code = krb5_cc_next_cred(context, ccache, &cur, &creds))) { if (krb5_principal_compare(context, tmp_princ, creds.server)) { cred->tgt_expire = creds.times.endtime; got_endtime = 1; @@ -290,14 +411,14 @@ acquire_init_cred(context, minor_status, desired_name, output_princ, cred) return(GSS_S_FAILURE); } else { /* this means that we found an endtime to use. */ - if ((code = krb5_cc_end_seq_get(context, ccache, &cur)) != 0) { + if ((code = krb5_cc_end_seq_get(context, ccache, &cur))) { (void)krb5_cc_set_flags(context, ccache, KRB5_TC_OPENCLOSE); (void)krb5_cc_close(context, ccache); *minor_status = code; return(GSS_S_FAILURE); } flags = KRB5_TC_OPENCLOSE; /* turns on OPENCLOSE mode */ - if ((code = krb5_cc_set_flags(context, ccache, flags)) != 0) { + if ((code = krb5_cc_set_flags(context, ccache, flags))) { (void)krb5_cc_close(context, ccache); *minor_status = code; return(GSS_S_FAILURE); @@ -310,37 +431,12 @@ acquire_init_cred(context, minor_status, desired_name, output_princ, cred) /* minor_status is set while we are iterating over the ccache */ return(GSS_S_COMPLETE); } - -OM_uint32 -krb5_gss_acquire_cred(ctx, minor_status, desired_name, time_req, - desired_mechs, cred_usage, output_cred_handle, - actual_mechs, time_rec) - void *ctx; - OM_uint32 *minor_status; - gss_name_t desired_name; - OM_uint32 time_req; - gss_OID_set desired_mechs; - gss_cred_usage_t cred_usage; - gss_cred_id_t *output_cred_handle; - gss_OID_set *actual_mechs; - OM_uint32 *time_rec; -{ - OM_uint32 ret; - - mutex_lock(&krb5_mutex); - ret = krb5_gss_acquire_cred_no_lock(ctx, minor_status, desired_name, - time_req, desired_mechs, cred_usage, output_cred_handle, - actual_mechs, time_rec); - mutex_unlock(&krb5_mutex); - return(ret); -} - + /*ARGSUSED*/ OM_uint32 -krb5_gss_acquire_cred_no_lock(ctx, minor_status, desired_name, time_req, +krb5_gss_acquire_cred(minor_status, desired_name, time_req, desired_mechs, cred_usage, output_cred_handle, actual_mechs, time_rec) - void *ctx; OM_uint32 *minor_status; gss_name_t desired_name; OM_uint32 time_req; @@ -353,20 +449,22 @@ krb5_gss_acquire_cred_no_lock(ctx, minor_status, desired_name, time_req, krb5_context context; size_t i; krb5_gss_cred_id_t cred; - gss_OID_set ret_mechs = GSS_C_NULL_OID_SET; - const gss_OID_set_desc * valid_mechs; + gss_OID_set ret_mechs; int req_old, req_new; OM_uint32 ret; krb5_error_code code; - /* Solaris Kerberos: for MT safety, we avoid the use of a default - * context via kg_get_context() */ -#if 0 - if (GSS_ERROR(kg_get_context(minor_status, &context))) - return(GSS_S_FAILURE); -#endif + code = gssint_initialize_library(); + if (code) { + *minor_status = code; + return GSS_S_FAILURE; + } - context = ctx; + code = krb5_gss_init_context(&context); + if (code) { + *minor_status = code; + return GSS_S_FAILURE; + } /* make sure all outputs are valid */ @@ -382,6 +480,7 @@ krb5_gss_acquire_cred_no_lock(ctx, minor_status, desired_name, time_req, if ((desired_name != (gss_name_t) NULL) && (! kg_validate_name(desired_name))) { *minor_status = (OM_uint32) G_VALIDATE_FAILED; + krb5_free_context(context); return(GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME); } @@ -389,7 +488,6 @@ krb5_gss_acquire_cred_no_lock(ctx, minor_status, desired_name, time_req, contains krb5 */ if (desired_mechs == GSS_C_NULL_OID_SET) { - valid_mechs = gss_mech_set_krb5_both; req_old = 1; req_new = 1; } else { @@ -405,6 +503,7 @@ krb5_gss_acquire_cred_no_lock(ctx, minor_status, desired_name, time_req, if (!req_old && !req_new) { *minor_status = 0; + krb5_free_context(context); return(GSS_S_BAD_MECH); } } @@ -414,24 +513,36 @@ krb5_gss_acquire_cred_no_lock(ctx, minor_status, desired_name, time_req, if ((cred = (krb5_gss_cred_id_t) xmalloc(sizeof(krb5_gss_cred_id_rec))) == NULL) { *minor_status = ENOMEM; + krb5_free_context(context); return(GSS_S_FAILURE); } memset(cred, 0, sizeof(krb5_gss_cred_id_rec)); cred->usage = cred_usage; cred->princ = NULL; - cred->actual_mechs = valid_mechs; cred->prerfc_mech = req_old; cred->rfc_mech = req_new; cred->keytab = NULL; cred->ccache = NULL; + code = k5_mutex_init(&cred->lock); + if (code) { + *minor_status = code; + krb5_free_context(context); + return GSS_S_FAILURE; + } + /* Note that we don't need to lock this GSSAPI credential record + here, because no other thread can gain access to it until we + return it. */ + if ((cred_usage != GSS_C_INITIATE) && (cred_usage != GSS_C_ACCEPT) && (cred_usage != GSS_C_BOTH)) { + k5_mutex_destroy(&cred->lock); xfree(cred); *minor_status = (OM_uint32) G_BAD_USAGE; + krb5_free_context(context); return(GSS_S_FAILURE); } @@ -445,8 +556,10 @@ krb5_gss_acquire_cred_no_lock(ctx, minor_status, desired_name, time_req, != GSS_S_COMPLETE) { if (cred->princ) krb5_free_principal(context, cred->princ); - xfree(cred); + k5_mutex_destroy(&cred->lock); + xfree(cred); /* minor_status set by acquire_accept_cred() */ + krb5_free_context(context); return(ret); } @@ -462,18 +575,21 @@ krb5_gss_acquire_cred_no_lock(ctx, minor_status, desired_name, time_req, &(cred->princ), cred)) != GSS_S_COMPLETE) { if (cred->keytab) - (void) krb5_kt_close(context, cred->keytab); + krb5_kt_close(context, cred->keytab); if (cred->princ) krb5_free_principal(context, cred->princ); - xfree(cred); + k5_mutex_destroy(&cred->lock); + xfree(cred); /* minor_status set by acquire_init_cred() */ + krb5_free_context(context); return(ret); } /* Solaris Kerberos: - * if the princ wasn't filled in already, fill it in now unless + * if the princ wasn't filled in already, fill it in now unless * a cred with no associated princ is requested (will invoke default * behaviour when gss_accept_init_context() is called). + * Note MIT 1.4 has GSS_C_NO_CREDENTIAL instead of GSS_C_NO_NAME */ if (!cred->princ && (desired_name != GSS_C_NO_NAME)) if ((code = krb5_copy_principal(context, (krb5_principal) desired_name, @@ -482,8 +598,10 @@ krb5_gss_acquire_cred_no_lock(ctx, minor_status, desired_name, time_req, (void)krb5_cc_close(context, cred->ccache); if (cred->keytab) (void)krb5_kt_close(context, cred->keytab); - xfree(cred); + k5_mutex_destroy(&cred->lock); + xfree(cred); *minor_status = code; + krb5_free_context(context); return(GSS_S_FAILURE); } @@ -504,8 +622,10 @@ krb5_gss_acquire_cred_no_lock(ctx, minor_status, desired_name, time_req, (void)krb5_kt_close(context, cred->keytab); if (cred->princ) krb5_free_principal(context, cred->princ); - xfree(cred); + k5_mutex_destroy(&cred->lock); + xfree(cred); *minor_status = code; + krb5_free_context(context); return(GSS_S_FAILURE); } @@ -516,15 +636,15 @@ krb5_gss_acquire_cred_no_lock(ctx, minor_status, desired_name, time_req, /* create mechs */ if (actual_mechs) { - if (GSS_ERROR(ret = gss_create_empty_oid_set(minor_status, + if (GSS_ERROR(ret = generic_gss_create_empty_oid_set(minor_status, &ret_mechs)) || (cred->prerfc_mech && - GSS_ERROR(ret = gss_add_oid_set_member(minor_status, - (gss_OID) gss_mech_krb5_old, + GSS_ERROR(ret = generic_gss_add_oid_set_member(minor_status, + (const gss_OID) gss_mech_krb5_old, &ret_mechs))) || (cred->rfc_mech && - GSS_ERROR(ret = gss_add_oid_set_member(minor_status, - (gss_OID) gss_mech_krb5, + GSS_ERROR(ret = generic_gss_add_oid_set_member(minor_status, + (const gss_OID) gss_mech_krb5, &ret_mechs)))) { if (cred->ccache) (void)krb5_cc_close(context, cred->ccache); @@ -532,8 +652,10 @@ krb5_gss_acquire_cred_no_lock(ctx, minor_status, desired_name, time_req, (void)krb5_kt_close(context, cred->keytab); if (cred->princ) krb5_free_principal(context, cred->princ); + k5_mutex_destroy(&cred->lock); xfree(cred); - /* (*minor_status) set above */ + /* *minor_status set above */ + krb5_free_context(context); return(ret); } } @@ -541,7 +663,6 @@ krb5_gss_acquire_cred_no_lock(ctx, minor_status, desired_name, time_req, /* intern the credential handle */ if (! kg_save_cred_id((gss_cred_id_t) cred)) { - (void) gss_release_oid_set(NULL, &ret_mechs); free(ret_mechs->elements); free(ret_mechs); if (cred->ccache) @@ -550,8 +671,10 @@ krb5_gss_acquire_cred_no_lock(ctx, minor_status, desired_name, time_req, (void)krb5_kt_close(context, cred->keytab); if (cred->princ) krb5_free_principal(context, cred->princ); + k5_mutex_destroy(&cred->lock); xfree(cred); *minor_status = (OM_uint32) G_VALIDATE_FAILED; + krb5_free_context(context); return(GSS_S_FAILURE); } @@ -561,5 +684,7 @@ krb5_gss_acquire_cred_no_lock(ctx, minor_status, desired_name, time_req, *output_cred_handle = (gss_cred_id_t) cred; if (actual_mechs) *actual_mechs = ret_mechs; + + krb5_free_context(context); return(GSS_S_COMPLETE); } diff --git a/usr/src/lib/gss_mechs/mech_krb5/mech/acquire_cred_with_pw.c b/usr/src/lib/gss_mechs/mech_krb5/mech/acquire_cred_with_pw.c index 0ad9d0f8e2..09b42f3050 100644 --- a/usr/src/lib/gss_mechs/mech_krb5/mech/acquire_cred_with_pw.c +++ b/usr/src/lib/gss_mechs/mech_krb5/mech/acquire_cred_with_pw.c @@ -1,5 +1,5 @@ /* - * Copyright 2005 Sun Microsystems, Inc. All rights reserved. + * Copyright 2007 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -78,6 +78,7 @@ * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. */ +#include "gss_libinit.h" #include <gssapiP_krb5.h> #include <k5-int.h> @@ -203,12 +204,11 @@ out: /*ARGSUSED*/ OM_uint32 -krb5_gss_acquire_cred_with_password_no_lock(ctx, minor_status, +krb5_gss_acquire_cred_with_password(minor_status, desired_name, password, time_req, desired_mechs, cred_usage, output_cred_handle, actual_mechs, time_rec) -void *ctx; OM_uint32 *minor_status; gss_name_t desired_name; const gss_buffer_t password; @@ -228,16 +228,21 @@ OM_uint32 *time_rec; OM_uint32 ret; krb5_error_code code; -#if 0 - if (GSS_ERROR(kg_get_context(minor_status, &context))) - return (GSS_S_FAILURE); -#endif - - context = ctx; - if (desired_name == GSS_C_NO_NAME) return (GSS_S_BAD_NAME); + code = gssint_initialize_library(); + if (code) { + *minor_status = code; + return (GSS_S_FAILURE); + } + + code = krb5_gss_init_context(&context); + if (code) { + *minor_status = code; + return (GSS_S_FAILURE); + } + /* make sure all outputs are valid */ *output_cred_handle = NULL; @@ -249,6 +254,7 @@ OM_uint32 *time_rec; /* validate the name */ if (!kg_validate_name(desired_name)) { *minor_status = (OM_uint32) G_VALIDATE_FAILED; + krb5_free_context(context); return (GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME); } @@ -276,6 +282,7 @@ OM_uint32 *time_rec; if (!req_old && !req_new) { *minor_status = 0; + krb5_free_context(context); return (GSS_S_BAD_MECH); } } @@ -284,13 +291,13 @@ OM_uint32 *time_rec; if ((cred = (krb5_gss_cred_id_t) xmalloc(sizeof (krb5_gss_cred_id_rec))) == NULL) { *minor_status = ENOMEM; + krb5_free_context(context); return (GSS_S_FAILURE); } memset(cred, 0, sizeof (krb5_gss_cred_id_rec)); cred->usage = cred_usage; cred->princ = NULL; - cred->actual_mechs = valid_mechs; cred->prerfc_mech = req_old; cred->rfc_mech = req_new; @@ -302,6 +309,7 @@ OM_uint32 *time_rec; (cred_usage != GSS_C_BOTH)) { xfree(cred); *minor_status = (OM_uint32) G_BAD_USAGE; + krb5_free_context(context); return (GSS_S_FAILURE); } @@ -319,6 +327,7 @@ OM_uint32 *time_rec; if (cred->princ) krb5_free_principal(context, cred->princ); xfree(cred); + krb5_free_context(context); /* minor_status set by acquire_accept_cred() */ return (ret); } @@ -340,6 +349,7 @@ OM_uint32 *time_rec; if (cred->princ) krb5_free_principal(context, cred->princ); xfree(cred); + krb5_free_context(context); /* minor_status set by acquire_init_cred() */ return (ret); } @@ -355,6 +365,7 @@ OM_uint32 *time_rec; (void) krb5_kt_close(context, cred->keytab); xfree(cred); *minor_status = code; + krb5_free_context(context); return (GSS_S_FAILURE); } @@ -377,6 +388,7 @@ OM_uint32 *time_rec; krb5_free_principal(context, cred->princ); xfree(cred); *minor_status = code; + krb5_free_context(context); return (GSS_S_FAILURE); } @@ -405,6 +417,7 @@ OM_uint32 *time_rec; if (cred->princ) krb5_free_principal(context, cred->princ); xfree(cred); + krb5_free_context(context); /* (*minor_status) set above */ return (ret); } @@ -423,12 +436,14 @@ OM_uint32 *time_rec; if (cred->princ) krb5_free_principal(context, cred->princ); xfree(cred); + krb5_free_context(context); *minor_status = (OM_uint32) G_VALIDATE_FAILED; return (GSS_S_FAILURE); } - /* return success */ + krb5_free_context(context); + /* return success */ *minor_status = 0; *output_cred_handle = (gss_cred_id_t)cred; if (actual_mechs) @@ -436,6 +451,7 @@ OM_uint32 *time_rec; return (GSS_S_COMPLETE); } +/*ARGSUSED*/ OM_uint32 gssspi_acquire_cred_with_password(ctx, minor_status, desired_name, password, time_req, desired_mechs, cred_usage, @@ -453,10 +469,8 @@ OM_uint32 *time_rec; { OM_uint32 ret; - mutex_lock(&krb5_mutex); - ret = krb5_gss_acquire_cred_with_password_no_lock(ctx, minor_status, + ret = krb5_gss_acquire_cred_with_password(minor_status, desired_name, password, time_req, desired_mechs, cred_usage, output_cred_handle, actual_mechs, time_rec); - mutex_unlock(&krb5_mutex); return (ret); } diff --git a/usr/src/lib/gss_mechs/mech_krb5/mech/add_cred.c b/usr/src/lib/gss_mechs/mech_krb5/mech/add_cred.c index ba025b7937..b24d1496ca 100644 --- a/usr/src/lib/gss_mechs/mech_krb5/mech/add_cred.c +++ b/usr/src/lib/gss_mechs/mech_krb5/mech/add_cred.c @@ -1,8 +1,3 @@ -/* - * Copyright 2005 Sun Microsystems, Inc. All rights reserved. - * Use is subject to license terms. - */ - #pragma ident "%Z%%M% %I% %E% SMI" /* @@ -13,7 +8,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -27,18 +22,18 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * */ /* * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -49,15 +44,13 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. */ -#include <gssapiP_krb5.h> -#include <gssapiP_generic.h> -#include <k5-int.h> +#include "gssapiP_krb5.h" #ifdef HAVE_STRING_H #include <string.h> #else @@ -65,19 +58,16 @@ #endif /* - * $Id: add_cred.c,v 1.2.6.2 2000/05/03 20:00:26 raeburn Exp $ + * $Id: add_cred.c 18015 2006-05-17 05:26:12Z raeburn $ */ /* V2 interface */ -/*ARGSUSED*/ OM_uint32 -krb5_gss_add_cred(ct, minor_status, input_cred_handle, +krb5_gss_add_cred(minor_status, input_cred_handle, desired_name, desired_mech, cred_usage, initiator_time_req, acceptor_time_req, - output_cred_handle, actual_mechs, + output_cred_handle, actual_mechs, initiator_time_rec, acceptor_time_rec) - - void * ct; OM_uint32 *minor_status; gss_cred_id_t input_cred_handle; gss_name_t desired_name; @@ -90,13 +80,10 @@ krb5_gss_add_cred(ct, minor_status, input_cred_handle, OM_uint32 *initiator_time_rec; OM_uint32 *acceptor_time_rec; { - krb5_context context = ct; - OM_uint32 lifetime; + krb5_context context; + OM_uint32 major_status, lifetime; krb5_gss_cred_id_t cred; krb5_error_code code; - OM_uint32 major_status = GSS_S_FAILURE; - - *minor_status = 0; /* this is pretty simple, since there's not really any difference between the underlying mechanisms. The main hair is in copying @@ -104,8 +91,7 @@ krb5_gss_add_cred(ct, minor_status, input_cred_handle, /* check if the desired_mech is bogus */ - if (!g_OID_equal(desired_mech, gss_mech_krb5_v2) && - !g_OID_equal(desired_mech, gss_mech_krb5) && + if (!g_OID_equal(desired_mech, gss_mech_krb5) && !g_OID_equal(desired_mech, gss_mech_krb5_old)) { *minor_status = 0; return(GSS_S_BAD_MECH); @@ -129,22 +115,21 @@ krb5_gss_add_cred(ct, minor_status, input_cred_handle, return(GSS_S_DUPLICATE_ELEMENT); } - /* Solaris Kerberos: for MT safety, we avoid the use of a default - * context via kg_get_context() */ -#if 0 - if (GSS_ERROR(kg_get_context(minor_status, (krb5_context*) &context))) - return(GSS_S_FAILURE); -#endif - - mutex_lock(&krb5_mutex); + code = krb5_gss_init_context(&context); + if (code) { + *minor_status = code; + return GSS_S_FAILURE; + } - /* verify the credential */ - if (GSS_ERROR(major_status = krb5_gss_validate_cred_no_lock(&context, - minor_status, input_cred_handle))) { - goto unlock; + major_status = krb5_gss_validate_cred_1(minor_status, input_cred_handle, + context); + if (GSS_ERROR(major_status)) { + krb5_free_context(context); + return major_status; } cred = (krb5_gss_cred_id_t) input_cred_handle; + k5_mutex_assert_locked(&cred->lock); /* check if the cred_usage is equal or "less" than the passed-in cred if copying */ @@ -152,9 +137,9 @@ krb5_gss_add_cred(ct, minor_status, input_cred_handle, if (!((cred->usage == cred_usage) || ((cred->usage == GSS_C_BOTH) && (output_cred_handle != NULL)))) { - *minor_status = (OM_uint32) G_BAD_USAGE; - major_status = GSS_S_FAILURE; - goto unlock; + *minor_status = (OM_uint32) G_BAD_USAGE; + krb5_free_context(context); + return(GSS_S_FAILURE); } /* check that desired_mech isn't already in the credential */ @@ -162,8 +147,13 @@ krb5_gss_add_cred(ct, minor_status, input_cred_handle, if ((g_OID_equal(desired_mech, gss_mech_krb5_old) && cred->prerfc_mech) || (g_OID_equal(desired_mech, gss_mech_krb5) && cred->rfc_mech)) { *minor_status = 0; - major_status = GSS_S_DUPLICATE_ELEMENT; - goto unlock; + krb5_free_context(context); + return(GSS_S_DUPLICATE_ELEMENT); + } + + if (GSS_ERROR(kg_sync_ccache_name(context, minor_status))) { + krb5_free_context(context); + return GSS_S_FAILURE; } /* verify the desired_name */ @@ -172,8 +162,8 @@ krb5_gss_add_cred(ct, minor_status, input_cred_handle, if ((desired_name != (gss_name_t) NULL) && (! kg_validate_name(desired_name))) { *minor_status = (OM_uint32) G_VALIDATE_FAILED; - major_status = (GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME); - goto unlock; + krb5_free_context(context); + return(GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME); } /* make sure the desired_name is the same as the existing one */ @@ -182,8 +172,8 @@ krb5_gss_add_cred(ct, minor_status, input_cred_handle, !krb5_principal_compare(context, (krb5_principal) desired_name, cred->princ)) { *minor_status = 0; - major_status = GSS_S_BAD_NAME; - goto unlock; + krb5_free_context(context); + return(GSS_S_BAD_NAME); } /* copy the cred if necessary */ @@ -199,8 +189,8 @@ krb5_gss_add_cred(ct, minor_status, input_cred_handle, (krb5_gss_cred_id_t) xmalloc(sizeof(krb5_gss_cred_id_rec))) == NULL) { *minor_status = ENOMEM; - major_status = GSS_S_FAILURE; - goto unlock; + krb5_free_context(context); + return(GSS_S_FAILURE); } memset(new_cred, 0, sizeof(krb5_gss_cred_id_rec)); @@ -209,48 +199,54 @@ krb5_gss_add_cred(ct, minor_status, input_cred_handle, new_cred->rfc_mech = cred->rfc_mech; new_cred->tgt_expire = cred->tgt_expire; - if (code = krb5_copy_principal(context, cred->princ, - &new_cred->princ)) { - free(new_cred); + if (cred->princ) + code = krb5_copy_principal(context, cred->princ, &new_cred->princ); + if (code) { + xfree(new_cred); *minor_status = code; - major_status = GSS_S_FAILURE; - goto unlock; + krb5_free_context(context); + return(GSS_S_FAILURE); } - + if (cred->keytab) { kttype = krb5_kt_get_type(context, cred->keytab); if ((strlen(kttype)+2) > sizeof(ktboth)) { - krb5_free_principal(context, new_cred->princ); - free(new_cred); + if (new_cred->princ) + krb5_free_principal(context, new_cred->princ); + xfree(new_cred); *minor_status = ENOMEM; - major_status = GSS_S_FAILURE; - goto unlock; + krb5_free_context(context); + return(GSS_S_FAILURE); } strncpy(ktboth, kttype, sizeof(ktboth) - 1); ktboth[sizeof(ktboth) - 1] = '\0'; strncat(ktboth, ":", sizeof(ktboth) - 1 - strlen(ktboth)); - code = krb5_kt_get_name(context, cred->keytab, - ktboth+strlen(ktboth), sizeof(ktboth)-strlen(ktboth)); + code = krb5_kt_get_name(context, cred->keytab, + ktboth+strlen(ktboth), + sizeof(ktboth)-strlen(ktboth)); if (code) { - krb5_free_principal(context, new_cred->princ); - free(new_cred); + if(new_cred->princ) + krb5_free_principal(context, new_cred->princ); + xfree(new_cred); *minor_status = code; - major_status = GSS_S_FAILURE; - goto unlock; + krb5_free_context(context); + return(GSS_S_FAILURE); } - if (code = krb5_kt_resolve(context, ktboth, &new_cred->keytab)) { + code = krb5_kt_resolve(context, ktboth, &new_cred->keytab); + if (code) { + if (new_cred->princ) krb5_free_principal(context, new_cred->princ); - free(new_cred); + xfree(new_cred); *minor_status = code; - major_status = GSS_S_FAILURE; - goto unlock; + krb5_free_context(context); + return(GSS_S_FAILURE); } } else { new_cred->keytab = NULL; @@ -263,12 +259,13 @@ krb5_gss_add_cred(ct, minor_status, input_cred_handle, &new_cred->rcache))) { if (new_cred->keytab) krb5_kt_close(context, new_cred->keytab); - krb5_free_principal(context, new_cred->princ); - free(new_cred); + if (new_cred->princ) + krb5_free_principal(context, new_cred->princ); + xfree(new_cred); + krb5_free_context(context); *minor_status = code; - major_status = GSS_S_FAILURE; - goto unlock; + return(GSS_S_FAILURE); } } else { new_cred->rcache = NULL; @@ -283,12 +280,13 @@ krb5_gss_add_cred(ct, minor_status, input_cred_handle, krb5_rc_close(context, new_cred->rcache); if (new_cred->keytab) krb5_kt_close(context, new_cred->keytab); + if (new_cred->princ) krb5_free_principal(context, new_cred->princ); - free(new_cred); + xfree(new_cred); + krb5_free_context(context); *minor_status = ENOMEM; - major_status = GSS_S_FAILURE; - goto unlock; + return(GSS_S_FAILURE); } strncpy(ccboth, cctype, sizeof(ccboth) - 1); @@ -296,17 +294,19 @@ krb5_gss_add_cred(ct, minor_status, input_cred_handle, strncat(ccboth, ":", sizeof(ccboth) - 1 - strlen(ccboth)); strncat(ccboth, ccname, sizeof(ccboth) - 1 - strlen(ccboth)); - if (code = krb5_cc_resolve(context, ccboth, &new_cred->ccache)) { + code = krb5_cc_resolve(context, ccboth, &new_cred->ccache); + if (code) { if (new_cred->rcache) krb5_rc_close(context, new_cred->rcache); if (new_cred->keytab) krb5_kt_close(context, new_cred->keytab); - krb5_free_principal(context, new_cred->princ); - free(new_cred); + if (new_cred->princ) + krb5_free_principal(context, new_cred->princ); + xfree(new_cred); + krb5_free_context(context); *minor_status = code; - major_status = GSS_S_FAILURE; - goto unlock; + return(GSS_S_FAILURE); } } else { new_cred->ccache = NULL; @@ -321,12 +321,13 @@ krb5_gss_add_cred(ct, minor_status, input_cred_handle, krb5_rc_close(context, new_cred->rcache); if (new_cred->keytab) krb5_kt_close(context, new_cred->keytab); + if (new_cred->princ) krb5_free_principal(context, new_cred->princ); - free(new_cred); + xfree(new_cred); + krb5_free_context(context); *minor_status = (OM_uint32) G_VALIDATE_FAILED; - major_status = GSS_S_FAILURE; - goto unlock; + return(GSS_S_FAILURE); } /* modify new_cred */ @@ -343,18 +344,17 @@ krb5_gss_add_cred(ct, minor_status, input_cred_handle, /* set the outputs */ - major_status = krb5_gss_inquire_cred_no_lock(&context, minor_status, - (gss_cred_id_t)cred, - NULL, &lifetime, - NULL, actual_mechs); - - if (GSS_ERROR(major_status)) { + if (GSS_ERROR(major_status = krb5_gss_inquire_cred(minor_status, + (gss_cred_id_t) cred, + NULL, &lifetime, + NULL, actual_mechs))) { OM_uint32 dummy; if (output_cred_handle) - (void) krb5_gss_release_cred_no_lock(&context, &dummy, (gss_cred_id_t *) &cred); + (void) krb5_gss_release_cred(&dummy, (gss_cred_id_t *) &cred); + krb5_free_context(context); - goto unlock; + return(major_status); } if (initiator_time_rec) @@ -363,12 +363,9 @@ krb5_gss_add_cred(ct, minor_status, input_cred_handle, *acceptor_time_rec = lifetime; if (output_cred_handle) - *output_cred_handle = (gss_cred_id_t)cred; + *output_cred_handle = (gss_cred_id_t) cred; + krb5_free_context(context); *minor_status = 0; - major_status = GSS_S_COMPLETE; - -unlock: - mutex_unlock(&krb5_mutex); - return(major_status); + return(GSS_S_COMPLETE); } diff --git a/usr/src/lib/gss_mechs/mech_krb5/mech/compare_name.c b/usr/src/lib/gss_mechs/mech_krb5/mech/compare_name.c index 2ae2199855..330faf7ca6 100644 --- a/usr/src/lib/gss_mechs/mech_krb5/mech/compare_name.c +++ b/usr/src/lib/gss_mechs/mech_krb5/mech/compare_name.c @@ -1,13 +1,8 @@ -/* - * Copyright 2002 Sun Microsystems, Inc. All rights reserved. - * Use is subject to license terms. - */ - #pragma ident "%Z%%M% %I% %E% SMI" /* * Copyright 1993 by OpenVision Technologies, Inc. - * + * * Permission to use, copy, modify, distribute, and sell this software * and its documentation for any purpose is hereby granted without fee, * provided that the above copyright notice appears in all copies and @@ -17,7 +12,7 @@ * without specific, written prior permission. OpenVision makes no * representations about the suitability of this software for any * purpose. It is provided "as is" without express or implied warranty. - * + * * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR @@ -28,45 +23,40 @@ */ /* - * $Id: compare_name.c,v 1.9 1996/07/22 20:33:38 marc Exp $ + * $Id: compare_name.c 18015 2006-05-17 05:26:12Z raeburn $ */ -#include <gssapiP_krb5.h> +#include "gssapiP_krb5.h" OM_uint32 -krb5_gss_compare_name(ctx, minor_status, name1, name2, name_equal) - void *ctx; +krb5_gss_compare_name(minor_status, name1, name2, name_equal) OM_uint32 *minor_status; gss_name_t name1; gss_name_t name2; int *name_equal; -{ +{ krb5_context context; - mutex_lock(&krb5_mutex); - context = ctx; - - /* Solaris Kerberos: for MT safety, we avoid the use of a default - * context via kg_get_context() */ -#if 0 - if (GSS_ERROR(kg_get_context(minor_status, (krb5_context*) &context))) - return(GSS_S_FAILURE); -#endif + krb5_error_code code; if (! kg_validate_name(name1)) { *minor_status = (OM_uint32) G_VALIDATE_FAILED; - mutex_unlock(&krb5_mutex); return(GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME); } if (! kg_validate_name(name2)) { *minor_status = (OM_uint32) G_VALIDATE_FAILED; - mutex_unlock(&krb5_mutex); return(GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME); } + code = krb5_gss_init_context(&context); + if (code) { + *minor_status = code; + return GSS_S_FAILURE; + } + *minor_status = 0; *name_equal = krb5_principal_compare(context, (krb5_principal) name1, (krb5_principal) name2); - mutex_unlock(&krb5_mutex); + krb5_free_context(context); return(GSS_S_COMPLETE); } diff --git a/usr/src/lib/gss_mechs/mech_krb5/mech/context_time.c b/usr/src/lib/gss_mechs/mech_krb5/mech/context_time.c index d5c871daf3..fb19e87075 100644 --- a/usr/src/lib/gss_mechs/mech_krb5/mech/context_time.c +++ b/usr/src/lib/gss_mechs/mech_krb5/mech/context_time.c @@ -1,13 +1,7 @@ -/* - * Copyright 2002 Sun Microsystems, Inc. All rights reserved. - * Use is subject to license terms. - */ - #pragma ident "%Z%%M% %I% %E% SMI" -/* - * Copyright 1993 by OpenVision Technologies, Inc. - * +/* Copyright 1993 by OpenVision Technologies, Inc. + * * Permission to use, copy, modify, distribute, and sell this software * and its documentation for any purpose is hereby granted without fee, * provided that the above copyright notice appears in all copies and @@ -17,7 +11,7 @@ * without specific, written prior permission. OpenVision makes no * representations about the suitability of this software for any * purpose. It is provided "as is" without express or implied warranty. - * + * * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR @@ -27,38 +21,26 @@ * PERFORMANCE OF THIS SOFTWARE. */ -#include <gssapiP_krb5.h> +#include "gssapiP_krb5.h" /* - * $Id: context_time.c,v 1.9 1996/07/22 20:33:41 marc Exp $ + * $Id: context_time.c 16187 2004-03-19 09:33:57Z raeburn $ */ OM_uint32 -krb5_gss_context_time(ct, minor_status, context_handle, time_rec) - void *ct; +krb5_gss_context_time(minor_status, context_handle, time_rec) OM_uint32 *minor_status; gss_ctx_id_t context_handle; OM_uint32 *time_rec; { - krb5_context context = ct; krb5_error_code code; krb5_gss_ctx_id_rec *ctx; krb5_timestamp now; krb5_deltat lifetime; - /* Solaris Kerberos: for MT safety, we avoid the use of a default - * context via kg_get_context() */ -#if 0 - if (GSS_ERROR(kg_get_context(minor_status, (krb5_context*) &context))) - return(GSS_S_FAILURE); -#endif - - mutex_lock(&krb5_mutex); - /* validate the context handle */ if (! kg_validate_ctx_id(context_handle)) { *minor_status = (OM_uint32) G_VALIDATE_FAILED; - mutex_unlock(&krb5_mutex); return(GSS_S_NO_CONTEXT); } @@ -66,25 +48,21 @@ krb5_gss_context_time(ct, minor_status, context_handle, time_rec) if (! ctx->established) { *minor_status = KG_CTX_INCOMPLETE; - mutex_unlock(&krb5_mutex); return(GSS_S_NO_CONTEXT); } - if (code = krb5_timeofday(context, &now)) { + if ((code = krb5_timeofday(ctx->k5_context, &now))) { *minor_status = code; - mutex_unlock(&krb5_mutex); return(GSS_S_FAILURE); } if ((lifetime = ctx->endtime - now) <= 0) { *time_rec = 0; *minor_status = 0; - mutex_unlock(&krb5_mutex); return(GSS_S_CONTEXT_EXPIRED); } else { *time_rec = lifetime; *minor_status = 0; - mutex_unlock(&krb5_mutex); return(GSS_S_COMPLETE); } } diff --git a/usr/src/lib/gss_mechs/mech_krb5/mech/copy_ccache.c b/usr/src/lib/gss_mechs/mech_krb5/mech/copy_ccache.c index a8e115d357..0a84ec37bc 100644 --- a/usr/src/lib/gss_mechs/mech_krb5/mech/copy_ccache.c +++ b/usr/src/lib/gss_mechs/mech_krb5/mech/copy_ccache.c @@ -1,75 +1,61 @@ -/* - * Copyright 2002 Sun Microsystems, Inc. All rights reserved. - * Use is subject to license terms. - */ - #pragma ident "%Z%%M% %I% %E% SMI" -/* - * /usr/src/lib/gss_mechs/mech_krb5/mech/copy_ccache.c - */ - -#include <gssapiP_krb5.h> +#include "gssapiP_krb5.h" -GSS_DLLIMP OM_uint32 KRB5_CALLCONV -gss_krb5_copy_ccache(ctx, minor_status, cred_handle, out_ccache) - void *ctx; +OM_uint32 KRB5_CALLCONV +gss_krb5int_copy_ccache(minor_status, cred_handle, out_ccache) OM_uint32 *minor_status; gss_cred_id_t cred_handle; krb5_ccache out_ccache; { - OM_uint32 major_status; + OM_uint32 stat; krb5_gss_cred_id_t k5creds; krb5_cc_cursor cursor; krb5_creds creds; krb5_error_code code; - krb5_context context = ctx; - - mutex_lock(&krb5_mutex); - - *minor_status = 0; + krb5_context context; /* validate the cred handle */ - major_status = krb5_gss_validate_cred_no_lock(context, minor_status, - cred_handle); - if (major_status) - goto unlock; - + stat = krb5_gss_validate_cred(minor_status, cred_handle); + if (stat) + return(stat); + k5creds = (krb5_gss_cred_id_t) cred_handle; + code = k5_mutex_lock(&k5creds->lock); + if (code) { + *minor_status = code; + return GSS_S_FAILURE; + } if (k5creds->usage == GSS_C_ACCEPT) { + k5_mutex_unlock(&k5creds->lock); *minor_status = (OM_uint32) G_BAD_USAGE; - major_status = GSS_S_FAILURE; - goto unlock; + return(GSS_S_FAILURE); } - /* Solaris Kerberos: for MT safety, we avoid the use of a default - * context via kg_get_context() */ -#if 0 - if (GSS_ERROR(kg_get_context(minor_status, &context))) - return (GSS_S_FAILURE); -#endif + code = krb5_gss_init_context(&context); + if (code) { + k5_mutex_unlock(&k5creds->lock); + *minor_status = code; + return GSS_S_FAILURE; + } code = krb5_cc_start_seq_get(context, k5creds->ccache, &cursor); if (code) { + k5_mutex_unlock(&k5creds->lock); *minor_status = code; - major_status = GSS_S_FAILURE; - goto unlock; + krb5_free_context(context); + return(GSS_S_FAILURE); } - while (!code && !krb5_cc_next_cred(context, k5creds->ccache, &cursor, &creds)) + while (!code && !krb5_cc_next_cred(context, k5creds->ccache, &cursor, &creds)) code = krb5_cc_store_cred(context, out_ccache, &creds); krb5_cc_end_seq_get(context, k5creds->ccache, &cursor); - + k5_mutex_unlock(&k5creds->lock); + krb5_free_context(context); if (code) { *minor_status = code; - major_status = GSS_S_FAILURE; - goto unlock; + return(GSS_S_FAILURE); } else { *minor_status = 0; - major_status = GSS_S_COMPLETE; - goto unlock; + return(GSS_S_COMPLETE); } - -unlock: - mutex_unlock(&krb5_mutex); - return(major_status); } diff --git a/usr/src/lib/gss_mechs/mech_krb5/mech/disp_com_err_status.c b/usr/src/lib/gss_mechs/mech_krb5/mech/disp_com_err_status.c index 91e495826d..150f30ec20 100644 --- a/usr/src/lib/gss_mechs/mech_krb5/mech/disp_com_err_status.c +++ b/usr/src/lib/gss_mechs/mech_krb5/mech/disp_com_err_status.c @@ -1,13 +1,8 @@ -/* - * Copyright 2002 Sun Microsystems, Inc. All rights reserved. - * Use is subject to license terms. - */ - #pragma ident "%Z%%M% %I% %E% SMI" /* * Copyright 1993 by OpenVision Technologies, Inc. - * + * * Permission to use, copy, modify, distribute, and sell this software * and its documentation for any purpose is hereby granted without fee, * provided that the above copyright notice appears in all copies and @@ -17,7 +12,7 @@ * without specific, written prior permission. OpenVision makes no * representations about the suitability of this software for any * purpose. It is provided "as is" without express or implied warranty. - * + * * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR @@ -28,28 +23,28 @@ */ /* - * $Id: disp_com_err_status.c,v 1.5 1996/07/22 20:32:59 marc Exp $ + * $Id: disp_com_err_status.c 16391 2004-06-02 23:40:12Z raeburn $ */ -#include <gssapiP_generic.h> -#include <com_err.h> +#include "gssapiP_generic.h" +#include "com_err.h" +#include "gss_libinit.h" + +/* XXXX internationalization!! */ + +/**/ -/* - * Solaris Kerberos does not dynamically load the error tables - */ -#if 0 -static int init_et = 0; -#endif static const char * const no_error = "No error"; -/* - * if status_type == GSS_C_GSS_CODE, return up to three error messages, - * for routine errors, call error, and status, in that order. - * message_context == 0 : print the routine error - * message_context == 1 : print the calling error - * message_context > 2 : print supplementary info bit (message_context-2) - * if status_type == GSS_C_MECH_CODE, return the output from error_message() - */ +/**/ + +/* if status_type == GSS_C_GSS_CODE, return up to three error messages, + for routine errors, call error, and status, in that order. + message_context == 0 : print the routine error + message_context == 1 : print the calling error + message_context > 2 : print supplementary info bit (message_context-2) + if status_type == GSS_C_MECH_CODE, return the output from error_message() + */ OM_uint32 g_display_com_err_status(minor_status, status_value, status_string) @@ -60,13 +55,7 @@ g_display_com_err_status(minor_status, status_value, status_string) status_string->length = 0; status_string->value = NULL; -/* Solaris Kerberos does not dynamically load the error tables */ -#if 0 - if (!init_et) { - initialize_ggss_error_table(); - init_et = 1; - } -#endif + (void) gssint_initialize_library(); if (! g_make_string_buffer(((status_value == 0)?no_error: error_message(status_value)), diff --git a/usr/src/lib/gss_mechs/mech_krb5/mech/disp_major_status.c b/usr/src/lib/gss_mechs/mech_krb5/mech/disp_major_status.c index c3dd9b6b9b..457d2537b9 100644 --- a/usr/src/lib/gss_mechs/mech_krb5/mech/disp_major_status.c +++ b/usr/src/lib/gss_mechs/mech_krb5/mech/disp_major_status.c @@ -1,4 +1,5 @@ #pragma ident "%Z%%M% %I% %E% SMI" + /* * Copyright 1993 by OpenVision Technologies, Inc. * @@ -21,19 +22,24 @@ * PERFORMANCE OF THIS SOFTWARE. */ -#include <gssapiP_generic.h> +#include "gssapiP_generic.h" #include <string.h> #include <stdio.h> /* - * $Id: disp_major_status.c,v 1.6 1996/07/22 20:33:01 marc Exp $ + * $Id: disp_major_status.c 13236 2001-05-08 17:10:18Z epeisach $ */ -#define GSS_CALLING_ERROR_FIELD(x) \ - (((x) >> GSS_C_CALLING_ERROR_OFFSET) & GSS_C_CALLING_ERROR_MASK) +/* XXXX these are not part of the GSSAPI C bindings! (but should be) */ +/* SUNW15resync - MIT 1.5 has these in gssapi.h */ + +#define GSS_CALLING_ERROR_FIELD(x) \ + (((x) >> GSS_C_CALLING_ERROR_OFFSET) & GSS_C_CALLING_ERROR_MASK) +#define GSS_ROUTINE_ERROR_FIELD(x) \ + (((x) >> GSS_C_ROUTINE_ERROR_OFFSET) & GSS_C_ROUTINE_ERROR_MASK) +#define GSS_SUPPLEMENTARY_INFO_FIELD(x) \ + (((x) >> GSS_C_SUPPLEMENTARY_OFFSET) & GSS_C_SUPPLEMENTARY_MASK) -#define GSS_ROUTINE_ERROR_FIELD(x) \ - (((x) >> GSS_C_ROUTINE_ERROR_OFFSET) & GSS_C_ROUTINE_ERROR_MASK) /* This code has knowledge of the min and max errors of each type within the gssapi major status */ @@ -114,16 +120,16 @@ static const char * const unknown_error = "Unknown %s (field = %d)"; /**/ -int display_unknown(kind, value, buffer) +static int +display_unknown(kind, value, buffer) const char *kind; OM_uint32 value; gss_buffer_t buffer; { - size_t len; char *str; - str = (char *) xmalloc(strlen(unknown_error)+strlen(kind)+7); - if (str == NULL) + if ((str = + (char *) xmalloc(strlen(unknown_error)+strlen(kind)+7)) == NULL) return(0); sprintf(str, unknown_error, kind, value); @@ -143,7 +149,7 @@ static OM_uint32 display_calling(minor_status, code, status_string) { const char *str; - if ((str = GSS_CALLING_ERROR_STR(code)) != NULL) { + if ((str = GSS_CALLING_ERROR_STR(code))) { if (! g_make_string_buffer(str, status_string)) { *minor_status = ENOMEM; return(GSS_S_FAILURE); @@ -168,7 +174,7 @@ static OM_uint32 display_routine(minor_status, code, status_string) { const char *str; - if ((str = GSS_ROUTINE_ERROR_STR(code)) != NULL) { + if ((str = GSS_ROUTINE_ERROR_STR(code))) { if (! g_make_string_buffer(str, status_string)) { *minor_status = ENOMEM; return(GSS_S_FAILURE); @@ -193,7 +199,7 @@ static OM_uint32 display_bit(minor_status, code, status_string) { const char *str; - if ((str = GSS_SINFO_STR(code)) != NULL) { + if ((str = GSS_SINFO_STR(code))) { if (! g_make_string_buffer(str, status_string)) { *minor_status = ENOMEM; return(GSS_S_FAILURE); @@ -242,7 +248,7 @@ OM_uint32 g_display_major_status(minor_status, status_value, /*** do routine error */ if (*message_context == 0) { - if ((tmp = GSS_ROUTINE_ERROR(status_value)) != 0) { + if ((tmp = GSS_ROUTINE_ERROR(status_value))) { status_value -= tmp; if ((ret = display_routine(minor_status, tmp, status_string))) return(ret); @@ -264,7 +270,7 @@ OM_uint32 g_display_major_status(minor_status, status_value, /*** do calling error */ if (*message_context == 1) { - if ((tmp = GSS_CALLING_ERROR(status_value)) != 0) { + if ((tmp = GSS_CALLING_ERROR(status_value))) { status_value -= tmp; if ((ret = display_calling(minor_status, tmp, status_string))) return(ret); @@ -285,7 +291,7 @@ OM_uint32 g_display_major_status(minor_status, status_value, /*** do sinfo bits (*message_context == 2 + number of bits done) */ - tmp = ((GSS_SUPPLEMENTARY_INFO(status_value)) >> GSS_C_SUPPLEMENTARY_OFFSET); + tmp = GSS_SUPPLEMENTARY_INFO_FIELD(status_value); /* mask off the bits which have been done */ if (*message_context > 2) { tmp &= ~LSBMASK(*message_context-3); diff --git a/usr/src/lib/gss_mechs/mech_krb5/mech/disp_name.c b/usr/src/lib/gss_mechs/mech_krb5/mech/disp_name.c index 7aa71eb326..014cd700e2 100644 --- a/usr/src/lib/gss_mechs/mech_krb5/mech/disp_name.c +++ b/usr/src/lib/gss_mechs/mech_krb5/mech/disp_name.c @@ -1,13 +1,8 @@ -/* - * Copyright 2002 Sun Microsystems, Inc. All rights reserved. - * Use is subject to license terms. - */ - #pragma ident "%Z%%M% %I% %E% SMI" /* * Copyright 1993 by OpenVision Technologies, Inc. - * + * * Permission to use, copy, modify, distribute, and sell this software * and its documentation for any purpose is hereby granted without fee, * provided that the above copyright notice appears in all copies and @@ -17,7 +12,7 @@ * without specific, written prior permission. OpenVision makes no * representations about the suitability of this software for any * purpose. It is provided "as is" without express or implied warranty. - * + * * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR @@ -27,59 +22,55 @@ * PERFORMANCE OF THIS SOFTWARE. */ -#include <gssapiP_krb5.h> +#include "gssapiP_krb5.h" OM_uint32 -krb5_gss_display_name(ctx, minor_status, input_name, output_name_buffer, +krb5_gss_display_name(minor_status, input_name, output_name_buffer, output_name_type) - void *ctx; OM_uint32 *minor_status; gss_name_t input_name; gss_buffer_t output_name_buffer; gss_OID *output_name_type; { - krb5_context context = ctx; + krb5_context context; krb5_error_code code; char *str; - mutex_lock(&krb5_mutex); - - /* Solaris Kerberos: for MT safety, we avoid the use of a default - * context via kg_get_context() */ -#if 0 - if (GSS_ERROR(kg_get_context(minor_status, &context))) - return(GSS_S_FAILURE); -#endif + code = krb5_gss_init_context(&context); + if (code) { + *minor_status = code; + return GSS_S_FAILURE; + } output_name_buffer->length = 0; output_name_buffer->value = NULL; if (! kg_validate_name(input_name)) { *minor_status = (OM_uint32) G_VALIDATE_FAILED; - mutex_unlock(&krb5_mutex); + krb5_free_context(context); return(GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME); } if ((code = krb5_unparse_name(context, (krb5_principal) input_name, &str))) { *minor_status = code; - mutex_unlock(&krb5_mutex); + krb5_free_context(context); return(GSS_S_FAILURE); } if (! g_make_string_buffer(str, output_name_buffer)) { - xfree(str); + krb5_free_unparsed_name(context, str); + krb5_free_context(context); *minor_status = (OM_uint32) G_BUFFER_ALLOC; - mutex_unlock(&krb5_mutex); return(GSS_S_FAILURE); } - xfree(str); + krb5_free_unparsed_name(context, str); + krb5_free_context(context); *minor_status = 0; if (output_name_type) *output_name_type = (gss_OID) gss_nt_krb5_name; - mutex_unlock(&krb5_mutex); return(GSS_S_COMPLETE); } diff --git a/usr/src/lib/gss_mechs/mech_krb5/mech/disp_status.c b/usr/src/lib/gss_mechs/mech_krb5/mech/disp_status.c index fe8a358306..24034858b1 100644 --- a/usr/src/lib/gss_mechs/mech_krb5/mech/disp_status.c +++ b/usr/src/lib/gss_mechs/mech_krb5/mech/disp_status.c @@ -1,13 +1,6 @@ /* - * Copyright 2002 Sun Microsystems, Inc. All rights reserved. - * Use is subject to license terms. - */ - -#pragma ident "%Z%%M% %I% %E% SMI" - -/* * Copyright 1993 by OpenVision Technologies, Inc. - * + * * Permission to use, copy, modify, distribute, and sell this software * and its documentation for any purpose is hereby granted without fee, * provided that the above copyright notice appears in all copies and @@ -17,7 +10,7 @@ * without specific, written prior permission. OpenVision makes no * representations about the suitability of this software for any * purpose. It is provided "as is" without express or implied warranty. - * + * * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR @@ -27,21 +20,19 @@ * PERFORMANCE OF THIS SOFTWARE. */ -#include <gssapiP_krb5.h> -#include <com_err.h> +#pragma ident "%Z%%M% %I% %E% SMI" + +#include "gssapiP_krb5.h" +#include "gss_libinit.h" +#include "com_err.h" /* XXXX internationalization!! */ -/* Solaris Kerberos does not dynamically load the error tables */ -#if 0 -static int init_et = 0; -#endif +/**/ -/*ARGSUSED*/ OM_uint32 -krb5_gss_display_status(ctx, minor_status, status_value, status_type, +krb5_gss_display_status(minor_status, status_value, status_type, mech_type, message_context, status_string) - void *ctx; OM_uint32 *minor_status; OM_uint32 status_value; int status_type; @@ -49,57 +40,31 @@ krb5_gss_display_status(ctx, minor_status, status_value, status_type, OM_uint32 *message_context; gss_buffer_t status_string; { - OM_uint32 major_status = 0; - - /* Solaris Kerberos: for MT safety, we avoid the use of a default - * context via kg_get_context() */ -#if 0 - if (GSS_ERROR(kg_get_context(minor_status, (krb5_context*) &context))) - return(GSS_S_FAILURE); -#endif - - mutex_lock(&krb5_mutex); status_string->length = 0; status_string->value = NULL; if ((mech_type != GSS_C_NULL_OID) && - !g_OID_equal(gss_mech_krb5_v2, mech_type) && !g_OID_equal(gss_mech_krb5, mech_type) && !g_OID_equal(gss_mech_krb5_old, mech_type)) { *minor_status = 0; - mutex_unlock(&krb5_mutex); return(GSS_S_BAD_MECH); } if (status_type == GSS_C_GSS_CODE) { - - major_status = g_display_major_status(minor_status, status_value, - message_context, status_string); - mutex_unlock(&krb5_mutex); - return(major_status); + return(g_display_major_status(minor_status, status_value, + message_context, status_string)); } else if (status_type == GSS_C_MECH_CODE) { - -/* Solaris Kerberos does not dynamically load the error tables */ -#if 0 - if (!init_et) { - initialize_k5g_error_table(); - init_et = 1; - } -#endif + (void) gssint_initialize_library(); if (*message_context) { *minor_status = (OM_uint32) G_BAD_MSG_CTX; - mutex_unlock(&krb5_mutex); return(GSS_S_FAILURE); } - major_status = g_display_com_err_status(minor_status, status_value, - status_string); - mutex_unlock(&krb5_mutex); - return(major_status); + return(g_display_com_err_status(minor_status, status_value, + status_string)); } else { *minor_status = 0; - mutex_unlock(&krb5_mutex); return(GSS_S_BAD_STATUS); } } diff --git a/usr/src/lib/gss_mechs/mech_krb5/mech/export_name.c b/usr/src/lib/gss_mechs/mech_krb5/mech/export_name.c new file mode 100644 index 0000000000..311eb6e14f --- /dev/null +++ b/usr/src/lib/gss_mechs/mech_krb5/mech/export_name.c @@ -0,0 +1,98 @@ +#pragma ident "%Z%%M% %I% %E% SMI" + +/* + * lib/gssapi/krb5/export_name.c + * + * Copyright 1997 by the Massachusetts Institute of Technology. + * All Rights Reserved. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + * + */ + +#include "gssapiP_krb5.h" + +OM_uint32 krb5_gss_export_name(OM_uint32 *minor_status, + const gss_name_t input_name, + gss_buffer_t exported_name) +{ + krb5_context context; + krb5_error_code code; + size_t length; + char *str, *cp; + + if (minor_status) + *minor_status = 0; + + code = krb5_gss_init_context(&context); + if (code) { + if (minor_status) + *minor_status = code; + return GSS_S_FAILURE; + } + + exported_name->length = 0; + exported_name->value = NULL; + + if (! kg_validate_name(input_name)) { + if (minor_status) + *minor_status = (OM_uint32) G_VALIDATE_FAILED; + krb5_free_context(context); + return(GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME); + } + + if ((code = krb5_unparse_name(context, (krb5_principal) input_name, + &str))) { + if (minor_status) + *minor_status = code; + krb5_free_context(context); + return(GSS_S_FAILURE); + } + + krb5_free_context(context); + length = strlen(str); + exported_name->length = 10 + length + gss_mech_krb5->length; + exported_name->value = malloc(exported_name->length); + if (!exported_name->value) { + free(str); + if (minor_status) + *minor_status = ENOMEM; + return(GSS_S_FAILURE); + } + cp = exported_name->value; + + /* Note: we assume the OID will be less than 128 bytes... */ + *cp++ = 0x04; *cp++ = 0x01; + *cp++ = (gss_mech_krb5->length+2) >> 8; + *cp++ = (gss_mech_krb5->length+2) & 0xFF; + *cp++ = 0x06; + *cp++ = (gss_mech_krb5->length) & 0xFF; + memcpy(cp, gss_mech_krb5->elements, gss_mech_krb5->length); + cp += gss_mech_krb5->length; + *cp++ = length >> 24; + *cp++ = length >> 16; + *cp++ = length >> 8; + *cp++ = length & 0xFF; + memcpy(cp, str, length); + + free(str); + + return(GSS_S_COMPLETE); +} diff --git a/usr/src/lib/gss_mechs/mech_krb5/mech/export_sec_context.c b/usr/src/lib/gss_mechs/mech_krb5/mech/export_sec_context.c index 6b533ee04a..4460c2b486 100644 --- a/usr/src/lib/gss_mechs/mech_krb5/mech/export_sec_context.c +++ b/usr/src/lib/gss_mechs/mech_krb5/mech/export_sec_context.c @@ -1,8 +1,3 @@ -/* - * Copyright 1999-2002 Sun Microsystems, Inc. All rights reserved. - * Use is subject to license terms. - */ - #pragma ident "%Z%%M% %I% %E% SMI" /* @@ -35,33 +30,21 @@ /* * export_sec_context.c - Externalize the security context. */ -#include <gssapiP_krb5.h> -#include <k5-int.h> +#include "gssapiP_krb5.h" OM_uint32 -krb5_gss_export_sec_context(ct, minor_status, context_handle, interprocess_token) - void *ct; +krb5_gss_export_sec_context(minor_status, context_handle, interprocess_token) OM_uint32 *minor_status; gss_ctx_id_t *context_handle; gss_buffer_t interprocess_token; { - krb5_context context = ct; + krb5_context context; krb5_error_code kret; OM_uint32 retval; size_t bufsize, blen; krb5_gss_ctx_id_t ctx; krb5_octet *obuffer, *obp; - /* Solaris Kerberos: for MT safety, we avoid the use of a default - * context via kg_get_context() */ -#if 0 - if (GSS_ERROR(kg_get_context(minor_status, (krb5_context*) &context))) - return(GSS_S_FAILURE); -#endif - - mutex_lock(&krb5_mutex); - context = ct; - /* Assume a tragic failure */ obuffer = (krb5_octet *) NULL; retval = GSS_S_FAILURE; @@ -74,6 +57,14 @@ krb5_gss_export_sec_context(ct, minor_status, context_handle, interprocess_token } ctx = (krb5_gss_ctx_id_t) *context_handle; + context = ctx->k5_context; + kret = krb5_gss_ser_init(context); + if (kret) + goto error_out; + + { gss_OID go = ctx->mech_used; + printf("export ctx len=%lu\n", go->length); + } /* Determine size needed for externalization of context */ bufsize = 0; @@ -101,20 +92,17 @@ krb5_gss_export_sec_context(ct, minor_status, context_handle, interprocess_token retval = GSS_S_COMPLETE; /* Now, clean up the context state */ - /* Note, calling non-locking interface */ - (void)krb5_gss_delete_sec_context_no_lock(context, minor_status, context_handle, NULL); + (void)krb5_gss_delete_sec_context(minor_status, context_handle, NULL); *context_handle = GSS_C_NO_CONTEXT; - mutex_unlock(&krb5_mutex); return (GSS_S_COMPLETE); error_out: if (obuffer && bufsize) { memset(obuffer, 0, bufsize); - krb5_xfree(obuffer); + xfree(obuffer); } - if (*minor_status == 0) + if (*minor_status == 0) *minor_status = (OM_uint32) kret; - mutex_unlock(&krb5_mutex); return(retval); } diff --git a/usr/src/lib/gss_mechs/mech_krb5/mech/get_tkt_flags.c b/usr/src/lib/gss_mechs/mech_krb5/mech/get_tkt_flags.c index bafed20b93..e3f4c83a6b 100644 --- a/usr/src/lib/gss_mechs/mech_krb5/mech/get_tkt_flags.c +++ b/usr/src/lib/gss_mechs/mech_krb5/mech/get_tkt_flags.c @@ -1,4 +1,5 @@ #pragma ident "%Z%%M% %I% %E% SMI" + /* * Copyright 1993 by OpenVision Technologies, Inc. * @@ -21,14 +22,14 @@ * PERFORMANCE OF THIS SOFTWARE. */ -#include <gssapiP_krb5.h> +#include "gssapiP_krb5.h" /* - * $Id: get_tkt_flags.c,v 1.7.4.1 1996/11/21 02:19:40 marc Exp $ + * $Id: get_tkt_flags.c 18131 2006-06-14 22:27:54Z tlyu $ */ -OM_uint32 -gss_krb5_get_tkt_flags(minor_status, context_handle, ticket_flags) +OM_uint32 KRB5_CALLCONV +gss_krb5int_get_tkt_flags(minor_status, context_handle, ticket_flags) OM_uint32 *minor_status; gss_ctx_id_t context_handle; krb5_flags *ticket_flags; diff --git a/usr/src/lib/gss_mechs/mech_krb5/mech/gss_libinit.c b/usr/src/lib/gss_mechs/mech_krb5/mech/gss_libinit.c new file mode 100644 index 0000000000..a410640031 --- /dev/null +++ b/usr/src/lib/gss_mechs/mech_krb5/mech/gss_libinit.c @@ -0,0 +1,90 @@ +/* + * Copyright 2007 Sun Microsystems, Inc. All rights reserved. + * Use is subject to license terms. + */ + +#pragma ident "%Z%%M% %I% %E% SMI" + +#include <assert.h> + +#include "gssapi_err_generic.h" +#include "gssapi_err_krb5.h" +#include "gssapiP_krb5.h" + +#include "gss_libinit.h" +#include "k5-platform.h" + +#include "mglueP.h" + +/* + * Initialize the GSSAPI library. + */ + +MAKE_INIT_FUNCTION(gssint_lib_init); +MAKE_FINI_FUNCTION(gssint_lib_fini); + +int gssint_lib_init(void) +{ + int err; + +#ifdef SHOW_INITFINI_FUNCS + printf("gssint_lib_init\n"); +#endif + +#if !USE_BUNDLE_ERROR_STRINGS + add_error_table(&et_k5g_error_table); + add_error_table(&et_ggss_error_table); +#endif +#if 0 /* SUNW15resync */ + err = gssint_mechglue_init(); + if (err) + return err; +#endif + err = k5_mutex_finish_init(&gssint_krb5_keytab_lock); + if (err) + return err; + err = k5_key_register(K5_KEY_GSS_KRB5_SET_CCACHE_OLD_NAME, free); + if (err) + return err; + err = k5_key_register(K5_KEY_GSS_KRB5_CCACHE_NAME, free); + if (err) + return err; +#if 0 /* SUNW15resync - revisit when mech resynced w/1.5 */ + err = k5_mutex_finish_init(&kg_kdc_flag_mutex); + if (err) + return err; +#endif + return k5_mutex_finish_init(&kg_vdb.mutex); +} + +void gssint_lib_fini(void) +{ + if (!INITIALIZER_RAN(gssint_lib_init) || PROGRAM_EXITING()) { +#ifdef SHOW_INITFINI_FUNCS + printf("gssint_lib_fini: skipping\n"); +#endif + return; + } +#ifdef SHOW_INITFINI_FUNCS + printf("gssint_lib_fini\n"); +#endif +#if !USE_BUNDLE_ERROR_STRINGS + remove_error_table(&et_k5g_error_table); + remove_error_table(&et_ggss_error_table); +#endif + k5_key_delete(K5_KEY_GSS_KRB5_SET_CCACHE_OLD_NAME); + k5_key_delete(K5_KEY_GSS_KRB5_CCACHE_NAME); + k5_mutex_destroy(&kg_vdb.mutex); +#if 0 /* SUNW15resync - revisit when mech resynced w/1.5 */ + k5_mutex_destroy(&kg_kdc_flag_mutex); +#endif + k5_mutex_destroy(&gssint_krb5_keytab_lock); +#if 0 /* SUNW15resync */ + gssint_mechglue_fini(); +#endif +} + +OM_uint32 gssint_initialize_library (void) +{ + return CALL_INIT_FUNCTION(gssint_lib_init); +} diff --git a/usr/src/lib/gss_mechs/mech_krb5/mech/gss_libinit.h b/usr/src/lib/gss_mechs/mech_krb5/mech/gss_libinit.h new file mode 100644 index 0000000000..c8c1879636 --- /dev/null +++ b/usr/src/lib/gss_mechs/mech_krb5/mech/gss_libinit.h @@ -0,0 +1,11 @@ +#pragma ident "%Z%%M% %I% %E% SMI" + +#ifndef GSSAPI_LIBINIT_H +#define GSSAPI_LIBINIT_H + +#include "gssapi.h" + +OM_uint32 gssint_initialize_library (void); +void gssint_cleanup_library (void); + +#endif /* GSSAPI_LIBINIT_H */ diff --git a/usr/src/lib/gss_mechs/mech_krb5/mech/import_name.c b/usr/src/lib/gss_mechs/mech_krb5/mech/import_name.c index ce276b0311..01b2deff7d 100644 --- a/usr/src/lib/gss_mechs/mech_krb5/mech/import_name.c +++ b/usr/src/lib/gss_mechs/mech_krb5/mech/import_name.c @@ -1,13 +1,8 @@ -/* - * Copyright 2002 Sun Microsystems, Inc. All rights reserved. - * Use is subject to license terms. - */ - #pragma ident "%Z%%M% %I% %E% SMI" /* * Copyright 1993 by OpenVision Technologies, Inc. - * + * * Permission to use, copy, modify, distribute, and sell this software * and its documentation for any purpose is hereby granted without fee, * provided that the above copyright notice appears in all copies and @@ -17,7 +12,7 @@ * without specific, written prior permission. OpenVision makes no * representations about the suitability of this software for any * purpose. It is provided "as is" without express or implied warranty. - * + * * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR @@ -28,14 +23,14 @@ */ /* - * $Id: import_name.c,v 1.17 1998/10/30 02:54:21 marc Exp $ + * $Id: import_name.c 18015 2006-05-17 05:26:12Z raeburn $ */ -#include <gssapiP_krb5.h> -#include <gssapi_generic.h> +#include "gssapiP_krb5.h" #ifndef NO_PASSWORD #include <pwd.h> +#include <stdio.h> #endif #ifdef HAVE_STRING_H @@ -52,9 +47,8 @@ */ OM_uint32 -krb5_gss_import_name(ctx, minor_status, input_name_buffer, +krb5_gss_import_name(minor_status, input_name_buffer, input_name_type, output_name) - void *ctx; OM_uint32 *minor_status; gss_buffer_t input_name_buffer; gss_OID input_name_type; @@ -69,15 +63,11 @@ krb5_gss_import_name(ctx, minor_status, input_name_buffer, struct passwd *pw; #endif - /* Solaris Kerberos: for MT safety, we avoid the use of a default - * context via kg_get_context() */ -#if 0 - if (GSS_ERROR(kg_get_context(minor_status, &context))) - return(GSS_S_FAILURE); -#endif - - mutex_lock(&krb5_mutex); - context = ctx; + code = krb5_gss_init_context(&context); + if (code) { + *minor_status = code; + return GSS_S_FAILURE; + } /* set up default returns */ @@ -86,21 +76,15 @@ krb5_gss_import_name(ctx, minor_status, input_name_buffer, /* Go find the appropriate string rep to pass into parse_name */ - /* We support both nametypes: new and official nametype - * GSS_C_NT_HOSTBASED_SERVICE and - * old and unofficial nametype gss_nt_service_name - */ - if ((input_name_type != GSS_C_NULL_OID) && - (g_OID_equal(input_name_type, GSS_C_NT_HOSTBASED_SERVICE) || - g_OID_equal(input_name_type, gss_nt_service_name) || + (g_OID_equal(input_name_type, gss_nt_service_name) || g_OID_equal(input_name_type, gss_nt_service_name_v2))) { char *service, *host; if ((tmp = (char *) xmalloc(input_name_buffer->length + 1)) == NULL) { *minor_status = ENOMEM; - mutex_unlock(&krb5_mutex); + krb5_free_context(context); return(GSS_S_FAILURE); } @@ -108,7 +92,7 @@ krb5_gss_import_name(ctx, minor_status, input_name_buffer, tmp[input_name_buffer->length] = 0; service = tmp; - if (host = strchr(tmp, '@')) { + if ((host = strchr(tmp, '@'))) { *host = '\0'; host++; } @@ -123,7 +107,7 @@ krb5_gss_import_name(ctx, minor_status, input_name_buffer, if (input_name_buffer->length != sizeof(krb5_principal)) { *minor_status = (OM_uint32) G_WRONG_SIZE; - mutex_unlock(&krb5_mutex); + krb5_free_context(context); return(GSS_S_BAD_NAME); } @@ -131,16 +115,22 @@ krb5_gss_import_name(ctx, minor_status, input_name_buffer, if ((code = krb5_copy_principal(context, input, &princ))) { *minor_status = code; - mutex_unlock(&krb5_mutex); + krb5_free_context(context); return(GSS_S_FAILURE); } } else { +#ifndef NO_PASSWORD + uid_t uid; + struct passwd pwx; + char pwbuf[BUFSIZ]; +#endif + stringrep = NULL; if ((tmp = (char *) xmalloc(input_name_buffer->length + 1)) == NULL) { *minor_status = ENOMEM; - mutex_unlock(&krb5_mutex); + krb5_free_context(context); return(GSS_S_FAILURE); } tmp2 = 0; @@ -150,19 +140,19 @@ krb5_gss_import_name(ctx, minor_status, input_name_buffer, if ((input_name_type == GSS_C_NULL_OID) || g_OID_equal(input_name_type, gss_nt_krb5_name) || - g_OID_equal(input_name_type, GSS_C_NT_USER_NAME)) { + g_OID_equal(input_name_type, gss_nt_user_name)) { stringrep = (char *) tmp; #ifndef NO_PASSWORD - } else if (g_OID_equal(input_name_type, GSS_C_NT_MACHINE_UID_NAME)) { - if ((pw = getpwuid(*((uid_t *) input_name_buffer->value)))) - stringrep = pw->pw_name; - else - *minor_status = (OM_uint32) G_NOUSER; - } else if (g_OID_equal(input_name_type, GSS_C_NT_STRING_UID_NAME)) { - if ((pw = getpwuid((uid_t) atoi(tmp)))) - stringrep = pw->pw_name; + } else if (g_OID_equal(input_name_type, gss_nt_machine_uid_name)) { + uid = *(uid_t *) input_name_buffer->value; + do_getpwuid: + if (k5_getpwuid_r(uid, &pwx, pwbuf, sizeof(pwbuf), &pw) == 0) + stringrep = pw->pw_name; else *minor_status = (OM_uint32) G_NOUSER; + } else if (g_OID_equal(input_name_type, gss_nt_string_uid_name)) { + uid = atoi(tmp); + goto do_getpwuid; #endif } else if (g_OID_equal(input_name_type, gss_nt_exported_name)) { cp = tmp; @@ -191,15 +181,16 @@ krb5_gss_import_name(ctx, minor_status, input_name_buffer, if (tmp2 == NULL) { xfree(tmp); *minor_status = ENOMEM; - mutex_unlock(&krb5_mutex); + krb5_free_context(context); return GSS_S_FAILURE; } strncpy(tmp2, cp, length); tmp2[length] = 0; - + stringrep = tmp2; } else { - mutex_unlock(&krb5_mutex); + xfree(tmp); + krb5_free_context(context); return(GSS_S_BAD_NAMETYPE); } @@ -212,10 +203,10 @@ krb5_gss_import_name(ctx, minor_status, input_name_buffer, xfree(tmp); if (tmp2) xfree(tmp2); - mutex_unlock(&krb5_mutex); + krb5_free_context(context); return(GSS_S_BAD_NAME); } - + if (tmp2) xfree(tmp2); xfree(tmp); @@ -226,7 +217,7 @@ krb5_gss_import_name(ctx, minor_status, input_name_buffer, if (code) { *minor_status = (OM_uint32) code; - mutex_unlock(&krb5_mutex); + krb5_free_context(context); return(GSS_S_BAD_NAME); } @@ -234,14 +225,15 @@ krb5_gss_import_name(ctx, minor_status, input_name_buffer, if (! kg_save_name((gss_name_t) princ)) { krb5_free_principal(context, princ); + krb5_free_context(context); *minor_status = (OM_uint32) G_VALIDATE_FAILED; - mutex_unlock(&krb5_mutex); return(GSS_S_FAILURE); } + krb5_free_context(context); + /* return it */ *output_name = (gss_name_t) princ; - mutex_unlock(&krb5_mutex); return(GSS_S_COMPLETE); } diff --git a/usr/src/lib/gss_mechs/mech_krb5/mech/indicate_mechs.c b/usr/src/lib/gss_mechs/mech_krb5/mech/indicate_mechs.c index 1ae262ee73..060ac76ace 100644 --- a/usr/src/lib/gss_mechs/mech_krb5/mech/indicate_mechs.c +++ b/usr/src/lib/gss_mechs/mech_krb5/mech/indicate_mechs.c @@ -1,8 +1,3 @@ -/* - * Copyright 2002 Sun Microsystems, Inc. All rights reserved. - * Use is subject to license terms. - */ - #pragma ident "%Z%%M% %I% %E% SMI" /* @@ -28,26 +23,22 @@ */ /* - * $Id: indicate_mechs.c,v 1.11 1999/03/26 03:51:43 tytso Exp $ + * $Id: indicate_mechs.c 18131 2006-06-14 22:27:54Z tlyu $ */ -#include <gssapiP_krb5.h> +#include "gssapiP_krb5.h" +#include "mglueP.h" -/*ARGSUSED*/ OM_uint32 -krb5_gss_indicate_mechs(ctx, minor_status, mech_set) - void *ctx; +krb5_gss_indicate_mechs(minor_status, mech_set) OM_uint32 *minor_status; gss_OID_set *mech_set; { *minor_status = 0; - /* Solaris Kerberos: note that we use gss_copy_oid_set() here - * instead of g_copy_OID_set(). Ours is defined in oid_ops.c - */ - if (gss_copy_oid_set(minor_status, gss_mech_set_krb5_v1v2, - mech_set) == GSS_S_FAILURE) { + if (! gssint_copy_oid_set(minor_status, gss_mech_set_krb5_both, mech_set)) { *mech_set = GSS_C_NO_OID_SET; + *minor_status = ENOMEM; return(GSS_S_FAILURE); } diff --git a/usr/src/lib/gss_mechs/mech_krb5/mech/init_sec_context.c b/usr/src/lib/gss_mechs/mech_krb5/mech/init_sec_context.c index 52dcf567f7..7a0015abf9 100644 --- a/usr/src/lib/gss_mechs/mech_krb5/mech/init_sec_context.c +++ b/usr/src/lib/gss_mechs/mech_krb5/mech/init_sec_context.c @@ -6,14 +6,14 @@ #pragma ident "%Z%%M% %I% %E% SMI" /* - * Copyright 2000 by the Massachusetts Institute of Technology. + * Copyright 2000,2002, 2003 by the Massachusetts Institute of Technology. * All Rights Reserved. * * Export of this software from the United States of America may * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -27,11 +27,11 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * */ /* * Copyright 1993 by OpenVision Technologies, Inc. - * + * * Permission to use, copy, modify, distribute, and sell this software * and its documentation for any purpose is hereby granted without fee, * provided that the above copyright notice appears in all copies and @@ -41,7 +41,7 @@ * without specific, written prior permission. OpenVision makes no * representations about the suitability of this software for any * purpose. It is provided "as is" without express or implied warranty. - * + * * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR @@ -53,14 +53,14 @@ /* * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -71,33 +71,32 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. */ -#include <gssapiP_krb5.h> -#include <k5-int.h> +#include "k5-int.h" +#include "gssapiP_krb5.h" +#include "gss_libinit.h" +#include "mglueP.h" +#ifdef HAVE_MEMORY_H #include <memory.h> +#endif #include <stdlib.h> -#include <syslog.h> #include <assert.h> -#define ROOT_UID 0 -#define KRB5_DEFAULT_LIFE 60*60*10 -#define CACHE_FILENAME_LEN 35 -/* - * $Id: init_sec_context.c,v 1.51.2.7 2000/06/28 02:48:22 tlyu Exp $ - */ - -extern int -safechown(const char *src, uid_t uid, gid_t gid, int mode); +/* Solaris Kerberos start */ +static OM_uint32 get_default_cred(OM_uint32 *, void *, gss_cred_id_t *); +/* Solaris Kerberos end */ /* - * XXX This is for debugging only!!! Should become a real bitfield - * at some point + * $Id: init_sec_context.c 18131 2006-06-14 22:27:54Z tlyu $ */ + +/* XXX This is for debugging only!!! Should become a real bitfield + at some point */ int krb5_gss_dbg_client_expcreds = 0; /* @@ -116,8 +115,7 @@ static krb5_error_code get_credentials(context, cred, server, now, krb5_error_code code; krb5_creds in_creds; - KRB5_LOG0(KRB5_INFO, "get_credentials() start\n"); - + k5_mutex_assert_locked(&cred->lock); memset((char *) &in_creds, 0, sizeof(krb5_creds)); if ((code = krb5_copy_principal(context, cred->princ, &in_creds.client))) @@ -143,18 +141,14 @@ static krb5_error_code get_credentials(context, cred, server, now, code = KRB5KRB_AP_ERR_TKT_EXPIRED; goto cleanup; } - + cleanup: if (in_creds.client) krb5_free_principal(context, in_creds.client); if (in_creds.server) krb5_free_principal(context, in_creds.server); - - KRB5_LOG(KRB5_INFO, "get_credentials() end, code = %d\n", code); - return code; } - struct gss_checksum_data { krb5_gss_ctx_id_rec *ctx; krb5_gss_cred_id_t cred; @@ -162,16 +156,19 @@ struct gss_checksum_data { krb5_data checksum_data; }; +#ifdef CFX_EXERCISE +#include "../../krb5/krb/auth_con.h" +#endif static krb5_error_code KRB5_CALLCONV make_gss_checksum (krb5_context context, krb5_auth_context auth_context, - void *cksum_data, krb5_data **out) + void *cksum_data, krb5_data **out) { krb5_error_code code; krb5_int32 con_flags; unsigned char *ptr; struct gss_checksum_data *data = cksum_data; krb5_data credmsg; - int junk; + unsigned int junk; data->checksum_data.data = 0; credmsg.data = 0; @@ -183,19 +180,19 @@ make_gss_checksum (krb5_context context, krb5_auth_context auth_context, /* clear the time check flag that was set in krb5_auth_con_init() */ krb5_auth_con_getflags(context, auth_context, &con_flags); krb5_auth_con_setflags(context, auth_context, - con_flags & ~KRB5_AUTH_CONTEXT_DO_TIME); + con_flags & ~KRB5_AUTH_CONTEXT_DO_TIME); code = krb5_fwd_tgt_creds(context, auth_context, 0, - data->cred->princ, data->ctx->there, - data->cred->ccache, 1, - &credmsg); + data->cred->princ, data->ctx->there, + data->cred->ccache, 1, + &credmsg); /* turn KRB5_AUTH_CONTEXT_DO_TIME back on */ krb5_auth_con_setflags(context, auth_context, con_flags); if (code) { /* don't fail here; just don't accept/do the delegation - request */ + request */ data->ctx->gss_flags &= ~GSS_C_DELEG_FLAG; data->checksum_data.length = 24; @@ -203,22 +200,23 @@ make_gss_checksum (krb5_context context, krb5_auth_context auth_context, if (credmsg.length+28 > KRB5_INT16_MAX) { krb5_free_data_contents(context, &credmsg); return(KRB5KRB_ERR_FIELD_TOOLONG); - } + } - data->checksum_data.length = 28+credmsg.length; + data->checksum_data.length = 28+credmsg.length; } } else { data->checksum_data.length = 24; } #ifdef CFX_EXERCISE - if (data->ctx->auth_context->keyblock->enctype == 18) { + if (data->ctx->auth_context->keyblock != NULL + && data->ctx->auth_context->keyblock->enctype == 18) { srand(time(0) ^ getpid()); /* Our ftp client code stupidly assumes a base64-encoded version of the token will fit in 10K, so don't make this too big. */ junk = rand() & 0xff; } else - junk = 0; + junk = 0; #else junk = 0; #endif @@ -226,16 +224,16 @@ make_gss_checksum (krb5_context context, krb5_auth_context auth_context, data->checksum_data.length += junk; /* now allocate a buffer to hold the checksum data and - (maybe) KRB_CRED msg */ + (maybe) KRB_CRED msg */ if ((data->checksum_data.data = (char *) xmalloc(data->checksum_data.length)) == NULL) { if (credmsg.data) - krb5_free_data_contents(context, &credmsg); + krb5_free_data_contents(context, &credmsg); return(ENOMEM); } - ptr = (uchar_t *)data->checksum_data.data; + ptr = (uchar_t *)data->checksum_data.data; /* SUNW15resync */ TWRITE_INT(ptr, data->md5.length, 0); TWRITE_STR(ptr, (unsigned char *) data->md5.contents, data->md5.length); @@ -257,7 +255,7 @@ make_gss_checksum (krb5_context context, krb5_auth_context auth_context, *out = &data->checksum_data; return 0; } - + static krb5_error_code make_ap_req_v1(context, ctx, cred, k_cred, chan_bindings, mech_type, token) krb5_context context; @@ -276,13 +274,11 @@ make_ap_req_v1(context, ctx, cred, k_cred, chan_bindings, mech_type, token) krb5_data *checksum_data = NULL; unsigned char *ptr; unsigned char *t; - int tlen; + unsigned int tlen; + k5_mutex_assert_locked(&cred->lock); ap_req.data = 0; - /* build the checksum buffer */ - KRB5_LOG0(KRB5_INFO, "make_ap_req_v1() start\n"); - /* compute the hash of the channel bindings */ if ((code = kg_checksum_channel_bindings(context, chan_bindings, &md5, 0))) @@ -290,7 +286,6 @@ make_ap_req_v1(context, ctx, cred, k_cred, chan_bindings, mech_type, token) krb5_auth_con_set_req_cksumtype(context, ctx->auth_context, CKSUMTYPE_KG_CB); - cksum_struct.md5 = md5; cksum_struct.ctx = ctx; cksum_struct.cred = cred; @@ -300,17 +295,18 @@ make_ap_req_v1(context, ctx, cred, k_cred, chan_bindings, mech_type, token) case ENCTYPE_DES_CBC_MD4: case ENCTYPE_DES_CBC_MD5: case ENCTYPE_DES3_CBC_SHA1: - code = make_gss_checksum(context, ctx->auth_context, &cksum_struct, - &checksum_data); - if (code) + code = make_gss_checksum(context, ctx->auth_context, &cksum_struct, + &checksum_data); + if (code) goto cleanup; - break; + break; default: krb5_auth_con_set_checksum_func(context, ctx->auth_context, - make_gss_checksum, &cksum_struct); - break; + make_gss_checksum, &cksum_struct); + break; } + /* call mk_req. subkey and ap_req need to be used or destroyed */ mk_req_flags = AP_OPTS_USE_SUBKEY; @@ -318,8 +314,10 @@ make_ap_req_v1(context, ctx, cred, k_cred, chan_bindings, mech_type, token) if (ctx->gss_flags & GSS_C_MUTUAL_FLAG) mk_req_flags |= AP_OPTS_MUTUAL_REQUIRED; - if ((code = krb5_mk_req_extended(context, &ctx->auth_context, mk_req_flags, - checksum_data, k_cred, &ap_req))) + code = krb5_mk_req_extended(context, &ctx->auth_context, mk_req_flags, + checksum_data, k_cred, &ap_req); + krb5_free_data_contents(context, &cksum_struct.checksum_data); + if (code) goto cleanup; /* store the interesting stuff from creds and authent */ @@ -340,7 +338,7 @@ make_ap_req_v1(context, ctx, cred, k_cred, chan_bindings, mech_type, token) ptr = t; - g_make_token_header((gss_OID) mech_type, ap_req.length, + g_make_token_header(mech_type, ap_req.length, &ptr, KG_TOK_CTX_AP_REQ); TWRITE_STR(ptr, (unsigned char *) ap_req.data, ap_req.length); @@ -351,23 +349,712 @@ make_ap_req_v1(context, ctx, cred, k_cred, chan_bindings, mech_type, token) token->value = (void *) t; code = 0; + + cleanup: + if (checksum_data && checksum_data->data) + krb5_free_data_contents(context, checksum_data); + if (ap_req.data) + krb5_free_data_contents(context, &ap_req); -cleanup: + return (code); +} + +/* + * setup_enc + * + * Fill in the encryption descriptors. Called after AP-REQ is made. + */ +static OM_uint32 +setup_enc( + OM_uint32 *minor_status, + krb5_gss_ctx_id_rec *ctx, + krb5_context context) +{ + + krb5_error_code code; + OM_uint32 ret = GSS_S_COMPLETE; + int i; + krb5int_access kaccess; + + code = krb5int_accessor (&kaccess, KRB5INT_ACCESS_VERSION); + if (code) + goto fail; + + ctx->have_acceptor_subkey = 0; + ctx->proto = 0; + ctx->cksumtype = 0; + switch(ctx->subkey->enctype) { + case ENCTYPE_DES_CBC_MD5: + case ENCTYPE_DES_CBC_MD4: + case ENCTYPE_DES_CBC_CRC: + ctx->subkey->enctype = ENCTYPE_DES_CBC_RAW; + ctx->signalg = SGN_ALG_DES_MAC_MD5; + ctx->cksum_size = 8; + ctx->sealalg = SEAL_ALG_DES; + + /* The encryption key is the session key XOR + 0xf0f0f0f0f0f0f0f0. */ + if ((code = krb5_copy_keyblock(context, ctx->subkey, &ctx->enc))) + goto fail; + + for (i=0; i<ctx->enc->length; i++) + ctx->enc->contents[i] ^= 0xf0; + + goto copy_subkey_to_seq; + + case ENCTYPE_DES3_CBC_SHA1: + /* MIT extension */ + ctx->subkey->enctype = ENCTYPE_DES3_CBC_RAW; + ctx->signalg = SGN_ALG_HMAC_SHA1_DES3_KD; + ctx->cksum_size = 20; + ctx->sealalg = SEAL_ALG_DES3KD; + + copy_subkey: + code = krb5_copy_keyblock (context, ctx->subkey, &ctx->enc); + if (code) + goto fail; + copy_subkey_to_seq: + code = krb5_copy_keyblock (context, ctx->subkey, &ctx->seq); + if (code) { + krb5_free_keyblock (context, ctx->enc); + goto fail; + } + goto success; + + case ENCTYPE_ARCFOUR_HMAC: + /* Microsoft extension */ + ctx->signalg = SGN_ALG_HMAC_MD5 ; + ctx->cksum_size = 8; + ctx->sealalg = SEAL_ALG_MICROSOFT_RC4 ; + + goto copy_subkey; + + default: + /* Fill some fields we shouldn't be using on this path + with garbage. */ + ctx->signalg = -10; + ctx->sealalg = -10; + + ctx->proto = 1; + code = (*kaccess.krb5int_c_mandatory_cksumtype)(context, ctx->subkey->enctype, + &ctx->cksumtype); + if (code) + goto fail; + code = krb5_c_checksum_length(context, ctx->cksumtype, + &ctx->cksum_size); + if (code) + goto fail; + goto copy_subkey; + } + +fail: + /* SUNW15resync - (as in prev snv code) add if-code and success label fix */ + if (code) { + *minor_status = code; + return GSS_S_FAILURE; + } + +success: + return (ret); +} + +/* + * new_connection + * + * Do the grunt work of setting up a new context. + */ +static OM_uint32 +new_connection( + OM_uint32 *minor_status, + krb5_gss_cred_id_t cred, + gss_ctx_id_t *context_handle, + gss_name_t target_name, + gss_OID mech_type, + OM_uint32 req_flags, + OM_uint32 time_req, + gss_channel_bindings_t input_chan_bindings, + gss_buffer_t input_token, + gss_OID *actual_mech_type, + gss_buffer_t output_token, + OM_uint32 *ret_flags, + OM_uint32 *time_rec, + krb5_context context, + int default_mech) +{ + OM_uint32 major_status; + krb5_error_code code; + krb5_creds *k_cred; + krb5_gss_ctx_id_rec *ctx, *ctx_free; + krb5_timestamp now; + gss_buffer_desc token; + + k5_mutex_assert_locked(&cred->lock); + major_status = GSS_S_FAILURE; + token.length = 0; + token.value = NULL; + + /* make sure the cred is usable for init */ + + if ((cred->usage != GSS_C_INITIATE) && + (cred->usage != GSS_C_BOTH)) { + *minor_status = 0; + return(GSS_S_NO_CRED); + } + + /* complain if the input token is non-null */ + + if (input_token != GSS_C_NO_BUFFER && input_token->length != 0) { + *minor_status = 0; + return(GSS_S_DEFECTIVE_TOKEN); + } + + /* create the ctx */ + + if ((ctx = (krb5_gss_ctx_id_rec *) xmalloc(sizeof(krb5_gss_ctx_id_rec))) + == NULL) { + *minor_status = ENOMEM; + return(GSS_S_FAILURE); + } + + /* fill in the ctx */ + memset(ctx, 0, sizeof(krb5_gss_ctx_id_rec)); + ctx_free = ctx; + if ((code = krb5_auth_con_init(context, &ctx->auth_context))) + goto fail; + krb5_auth_con_setflags(context, ctx->auth_context, + KRB5_AUTH_CONTEXT_DO_SEQUENCE); + + /* limit the encryption types negotiated (if requested) */ + if (cred->req_enctypes) { + if ((code = krb5_set_default_tgs_enctypes(context, + cred->req_enctypes))) { + goto fail; + } + } + + ctx->initiate = 1; + ctx->gss_flags = (GSS_C_INTEG_FLAG | GSS_C_CONF_FLAG | + GSS_C_TRANS_FLAG | + ((req_flags) & (GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | + GSS_C_SEQUENCE_FLAG | GSS_C_DELEG_FLAG))); + ctx->seed_init = 0; + ctx->big_endian = 0; /* all initiators do little-endian, as per spec */ + ctx->seqstate = 0; + + if ((code = krb5_timeofday(context, &now))) + goto fail; + + if (time_req == 0 || time_req == GSS_C_INDEFINITE) { + ctx->endtime = 0; + } else { + ctx->endtime = now + time_req; + } + + if ((code = krb5_copy_principal(context, cred->princ, &ctx->here))) + goto fail; + + if ((code = krb5_copy_principal(context, (krb5_principal) target_name, + &ctx->there))) + goto fail; + + code = get_credentials(context, cred, ctx->there, now, + ctx->endtime, &k_cred); + if (code) + goto fail; + + if (default_mech) { + mech_type = (gss_OID) gss_mech_krb5; + } + + if (generic_gss_copy_oid(minor_status, mech_type, &ctx->mech_used) + != GSS_S_COMPLETE) { + code = *minor_status; + goto fail; + } /* - * We only free cksum_struct.checksum_data here, because checksum_data - * could point to cksum_struct.checksum_data or NULL. + * Now try to make it static if at all possible.... */ - if (cksum_struct.checksum_data.data) - krb5_free_data_contents(context, &cksum_struct.checksum_data); - if (ap_req.data) - xfree(ap_req.data); + ctx->mech_used = krb5_gss_convert_static_mech_oid(ctx->mech_used); + + { + /* gsskrb5 v1 */ + krb5_ui_4 seq_temp; + if ((code = make_ap_req_v1(context, ctx, + cred, k_cred, input_chan_bindings, + mech_type, &token))) { + if ((code == KRB5_FCC_NOFILE) || (code == KRB5_CC_NOTFOUND) || + (code == KG_EMPTY_CCACHE)) + major_status = GSS_S_NO_CRED; + if (code == KRB5KRB_AP_ERR_TKT_EXPIRED) + major_status = GSS_S_CREDENTIALS_EXPIRED; + goto fail; + } - KRB5_LOG(KRB5_INFO, "make_ap_req_v1() end, code = %d\n", code); + krb5_auth_con_getlocalseqnumber(context, ctx->auth_context, + (krb5_int32 *)&seq_temp); /* SUNW15resync */ + ctx->seq_send = seq_temp; + krb5_auth_con_getsendsubkey(context, ctx->auth_context, + &ctx->subkey); + } - return (code); + major_status = setup_enc(minor_status, ctx, context); + + if (k_cred) { + krb5_free_creds(context, k_cred); + k_cred = 0; + } + + /* at this point, the context is constructed and valid, + hence, releaseable */ + + /* intern the context handle */ + + if (! kg_save_ctx_id((gss_ctx_id_t) ctx)) { + code = G_VALIDATE_FAILED; + goto fail; + } + *context_handle = (gss_ctx_id_t) ctx; + ctx_free = 0; + + /* compute time_rec */ + if (time_rec) { + if ((code = krb5_timeofday(context, &now))) + goto fail; + *time_rec = ctx->endtime - now; + } + + /* set the other returns */ + *output_token = token; + + if (ret_flags) + *ret_flags = ctx->gss_flags; + + if (actual_mech_type) + *actual_mech_type = mech_type; + + /* return successfully */ + + *minor_status = 0; + if (ctx->gss_flags & GSS_C_MUTUAL_FLAG) { + ctx->established = 0; + return(GSS_S_CONTINUE_NEEDED); + } else { + ctx->seq_recv = ctx->seq_send; + g_order_init(&(ctx->seqstate), ctx->seq_recv, + (ctx->gss_flags & GSS_C_REPLAY_FLAG) != 0, + (ctx->gss_flags & GSS_C_SEQUENCE_FLAG) != 0, ctx->proto); + ctx->gss_flags |= GSS_C_PROT_READY_FLAG; + ctx->established = 1; + return(GSS_S_COMPLETE); + } + +fail: + if (ctx_free) { + if (ctx_free->auth_context) + krb5_auth_con_free(context, ctx_free->auth_context); + if (ctx_free->here) + krb5_free_principal(context, ctx_free->here); + if (ctx_free->there) + krb5_free_principal(context, ctx_free->there); + if (ctx_free->subkey) + krb5_free_keyblock(context, ctx_free->subkey); + xfree(ctx_free); + } else + (void)krb5_gss_delete_sec_context(minor_status, context_handle, NULL); + + *minor_status = code; + return (major_status); +} + +/* + * mutual_auth + * + * Handle the reply from the acceptor, if we're doing mutual auth. + */ +static OM_uint32 +mutual_auth( + OM_uint32 *minor_status, + gss_ctx_id_t *context_handle, + gss_name_t target_name, + gss_OID mech_type, + OM_uint32 req_flags, + OM_uint32 time_req, + gss_channel_bindings_t input_chan_bindings, + gss_buffer_t input_token, + gss_OID *actual_mech_type, + gss_buffer_t output_token, + OM_uint32 *ret_flags, + OM_uint32 *time_rec, + krb5_context context) +{ + OM_uint32 major_status; + unsigned char *ptr; + char *sptr; + krb5_data ap_rep; + krb5_ap_rep_enc_part *ap_rep_data; + krb5_timestamp now; + krb5_gss_ctx_id_rec *ctx; + krb5_error *krb_error; + krb5_error_code code; + krb5int_access kaccess; + + major_status = GSS_S_FAILURE; + + code = krb5int_accessor (&kaccess, KRB5INT_ACCESS_VERSION); + if (code) + goto fail; + + /* validate the context handle */ + /*SUPPRESS 29*/ + if (! kg_validate_ctx_id(*context_handle)) { + *minor_status = (OM_uint32) G_VALIDATE_FAILED; + return(GSS_S_NO_CONTEXT); + } + + ctx = (krb5_gss_ctx_id_rec *)*context_handle; /* SUNW15resync */ + + /* make sure the context is non-established, and that certain + arguments are unchanged */ + + if ((ctx->established) || + ((ctx->gss_flags & GSS_C_MUTUAL_FLAG) == 0)) { + code = KG_CONTEXT_ESTABLISHED; + goto fail; + } + + if (! krb5_principal_compare(context, ctx->there, + (krb5_principal) target_name)) { + (void)krb5_gss_delete_sec_context(minor_status, + context_handle, NULL); + code = 0; + major_status = GSS_S_BAD_NAME; + goto fail; + } + + /* verify the token and leave the AP_REP message in ap_rep */ + + if (input_token == GSS_C_NO_BUFFER) { + (void)krb5_gss_delete_sec_context(minor_status, + context_handle, NULL); + code = 0; + major_status = GSS_S_DEFECTIVE_TOKEN; + goto fail; + } + + ptr = (unsigned char *) input_token->value; + + if (g_verify_token_header(ctx->mech_used, + &(ap_rep.length), + &ptr, KG_TOK_CTX_AP_REP, + input_token->length, 1)) { + if (g_verify_token_header((gss_OID) ctx->mech_used, + &(ap_rep.length), + &ptr, KG_TOK_CTX_ERROR, + input_token->length, 1) == 0) { + + /* Handle a KRB_ERROR message from the server */ + + sptr = (char *) ptr; /* PC compiler bug */ + TREAD_STR(sptr, ap_rep.data, ap_rep.length); + + code = krb5_rd_error(context, &ap_rep, &krb_error); + if (code) + goto fail; + if (krb_error->error) + code = krb_error->error + ERROR_TABLE_BASE_krb5; + else + code = 0; + krb5_free_error(context, krb_error); + goto fail; + } else { + *minor_status = 0; + return(GSS_S_DEFECTIVE_TOKEN); + } + } + + sptr = (char *) ptr; /* PC compiler bug */ + TREAD_STR(sptr, ap_rep.data, ap_rep.length); + + /* decode the ap_rep */ + if ((code = krb5_rd_rep(context, ctx->auth_context, &ap_rep, + &ap_rep_data))) { + /* + * XXX A hack for backwards compatiblity. + * To be removed in 1999 -- proven + */ + krb5_auth_con_setuseruserkey(context, ctx->auth_context, + ctx->subkey); + if ((krb5_rd_rep(context, ctx->auth_context, &ap_rep, + &ap_rep_data))) + goto fail; + } + + /* store away the sequence number */ + ctx->seq_recv = ap_rep_data->seq_number; + g_order_init(&(ctx->seqstate), ctx->seq_recv, + (ctx->gss_flags & GSS_C_REPLAY_FLAG) != 0, + (ctx->gss_flags & GSS_C_SEQUENCE_FLAG) !=0, ctx->proto); + + if (ctx->proto == 1 && ap_rep_data->subkey) { + /* Keep acceptor's subkey. */ + ctx->have_acceptor_subkey = 1; + code = krb5_copy_keyblock(context, ap_rep_data->subkey, + &ctx->acceptor_subkey); + if (code) + goto fail; + code = (*kaccess.krb5int_c_mandatory_cksumtype)(context, + ctx->acceptor_subkey->enctype, + &ctx->acceptor_subkey_cksumtype); + if (code) + goto fail; + } + + /* free the ap_rep_data */ + krb5_free_ap_rep_enc_part(context, ap_rep_data); + + /* set established */ + ctx->established = 1; + + /* set returns */ + + if (time_rec) { + if ((code = krb5_timeofday(context, &now))) + goto fail; + *time_rec = ctx->endtime - now; + } + + if (ret_flags) + *ret_flags = ctx->gss_flags; + + if (actual_mech_type) + *actual_mech_type = mech_type; + + /* success */ + + *minor_status = 0; + return GSS_S_COMPLETE; + +fail: + (void)krb5_gss_delete_sec_context(minor_status, context_handle, NULL); + + *minor_status = code; + return (major_status); } +OM_uint32 +krb5_gss_init_sec_context(minor_status, claimant_cred_handle, + context_handle, target_name, mech_type, + req_flags, time_req, input_chan_bindings, + input_token, actual_mech_type, output_token, + ret_flags, time_rec) + OM_uint32 *minor_status; + gss_cred_id_t claimant_cred_handle; + gss_ctx_id_t *context_handle; + gss_name_t target_name; + gss_OID mech_type; + OM_uint32 req_flags; + OM_uint32 time_req; + gss_channel_bindings_t input_chan_bindings; + gss_buffer_t input_token; + gss_OID *actual_mech_type; + gss_buffer_t output_token; + OM_uint32 *ret_flags; + OM_uint32 *time_rec; +{ + krb5_context context; + krb5_gss_cred_id_t cred; + int err; + krb5_error_code kerr; + int default_mech = 0; + OM_uint32 major_status; + OM_uint32 tmp_min_stat; + + if (*context_handle == GSS_C_NO_CONTEXT) { + kerr = krb5_gss_init_context(&context); + if (kerr) { + *minor_status = kerr; + return GSS_S_FAILURE; + } + if (GSS_ERROR(kg_sync_ccache_name(context, minor_status))) + return GSS_S_FAILURE; + } else { + context = ((krb5_gss_ctx_id_rec *)*context_handle)->k5_context; + } + + /* set up return values so they can be "freed" successfully */ + + major_status = GSS_S_FAILURE; /* Default major code */ + output_token->length = 0; + output_token->value = NULL; + if (actual_mech_type) + *actual_mech_type = NULL; + + /* verify that the target_name is valid and usable */ + + if (! kg_validate_name(target_name)) { + *minor_status = (OM_uint32) G_VALIDATE_FAILED; + if (*context_handle == GSS_C_NO_CONTEXT) + krb5_free_context(context); + return(GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME); + } + + /* verify the credential, or use the default */ + /*SUPPRESS 29*/ + if (claimant_cred_handle == GSS_C_NO_CREDENTIAL) { + /* + * Solaris Kerberos: here we are using the Solaris specific + * function get_default_cred() to handle the special case of a + * root principal + */ + major_status = get_default_cred(minor_status, context, + (gss_cred_id_t *)&cred); + if (major_status && GSS_ERROR(major_status)) { + if (*context_handle == GSS_C_NO_CONTEXT) + krb5_free_context(context); + return(major_status); + } + } else { + major_status = krb5_gss_validate_cred(minor_status, claimant_cred_handle); + if (GSS_ERROR(major_status)) { + if (*context_handle == GSS_C_NO_CONTEXT) + krb5_free_context(context); + return(major_status); + } + cred = (krb5_gss_cred_id_t) claimant_cred_handle; + } + kerr = k5_mutex_lock(&cred->lock); + if (kerr) { + krb5_free_context(context); + *minor_status = kerr; + return GSS_S_FAILURE; + } + + /* verify the mech_type */ + err = 0; + if (mech_type == GSS_C_NULL_OID) { + default_mech = 1; + if (cred->rfc_mech) { + mech_type = (gss_OID) gss_mech_krb5; + } else if (cred->prerfc_mech) { + mech_type = (gss_OID) gss_mech_krb5_old; + } else { + err = 1; + } + } else if (g_OID_equal(mech_type, gss_mech_krb5)) { + if (!cred->rfc_mech) + err = 1; + } else if (g_OID_equal(mech_type, gss_mech_krb5_old)) { + if (!cred->prerfc_mech) + err = 1; + } else if (g_OID_equal(mech_type, gss_mech_krb5_wrong)) { + if (!cred->rfc_mech) + err = 1; + } else { + err = 1; + } + + if (err) { + k5_mutex_unlock(&cred->lock); + if (claimant_cred_handle == GSS_C_NO_CREDENTIAL) + krb5_gss_release_cred(minor_status, (gss_cred_id_t *)&cred); + *minor_status = 0; + if (*context_handle == GSS_C_NO_CONTEXT) + krb5_free_context(context); + return(GSS_S_BAD_MECH); + } + + /* is this a new connection or not? */ + + /*SUPPRESS 29*/ + if (*context_handle == GSS_C_NO_CONTEXT) { + major_status = new_connection(minor_status, cred, context_handle, + target_name, mech_type, req_flags, + time_req, input_chan_bindings, + input_token, actual_mech_type, + output_token, ret_flags, time_rec, + context, default_mech); + k5_mutex_unlock(&cred->lock); + if (*context_handle == GSS_C_NO_CONTEXT) + krb5_free_context(context); + else + ((krb5_gss_ctx_id_rec *) *context_handle)->k5_context = context; + } else { + /* mutual_auth doesn't care about the credentials */ + k5_mutex_unlock(&cred->lock); + major_status = mutual_auth(minor_status, context_handle, + target_name, mech_type, req_flags, + time_req, input_chan_bindings, + input_token, actual_mech_type, + output_token, ret_flags, time_rec, + context); + /* If context_handle is now NO_CONTEXT, mutual_auth called + delete_sec_context, which would've zapped the krb5 context + too. */ + } + + if (claimant_cred_handle == GSS_C_NO_CREDENTIAL) + krb5_gss_release_cred(&tmp_min_stat, (gss_cred_id_t *)&cred); + + return(major_status); +} + +#if 0 /* SUNW15resync - revisit when mech resynced w/1.5 */ +k5_mutex_t kg_kdc_flag_mutex = K5_MUTEX_PARTIAL_INITIALIZER; +static int kdc_flag = 0; +#endif + +krb5_error_code +krb5_gss_init_context (krb5_context *ctxp) +{ + krb5_error_code err; + int is_kdc; + + err = gssint_initialize_library(); + if (err) + return err; +#if 0 /* SUNW15resync - revisit when mech resynced w/1.5 */ + err = k5_mutex_lock(&kg_kdc_flag_mutex); + if (err) + return err; + is_kdc = kdc_flag; + k5_mutex_unlock(&kg_kdc_flag_mutex); + + if (is_kdc) + return krb5int_init_context_kdc(ctxp); + else + return krb5_init_context(ctxp); +#endif + return krb5_init_context(ctxp); + +} + +#if 0 /* SUNW15resync - revisit when mech resynced w/1.5 */ +krb5_error_code +krb5_gss_use_kdc_context() +{ + krb5_error_code err; + + err = gssint_initialize_library(); + if (err) + return err; + err = k5_mutex_lock(&kg_kdc_flag_mutex); + if (err) + return err; + kdc_flag = 1; + k5_mutex_unlock(&kg_kdc_flag_mutex); + return 0; +} +#endif + +/* Solaris Kerberos specific routines start */ + +#define ROOT_UID 0 +#define KRB5_DEFAULT_LIFE 60*60*10 +#define CACHE_FILENAME_LEN 35 + +extern int +safechown(const char *src, uid_t uid, gid_t gid, int mode); static krb5_boolean principal_ignore_inst_compare(context, princ1, princ2) @@ -709,7 +1396,6 @@ load_root_cred_using_keytab( *minor_status = code; return (GSS_S_FAILURE); } - /* * Solaris Kerberos: * If the client's realm is empty (using a fallback method to determine @@ -774,6 +1460,11 @@ load_root_cred_using_keytab( return (GSS_S_FAILURE); } + /* + * Evidently (sigh), on success, krb5_get_init_creds_keytab + * changes the my_creds princ ptrs so we need to free those + * princs (me&server) as well as freeing all of my_creds contents. + */ code = krb5_get_init_creds_keytab(context, &my_creds, me, keytab, 0, svcname, &opt); @@ -788,16 +1479,23 @@ load_root_cred_using_keytab( return (GSS_S_FAILURE); } + + krb5_free_principal(context, server); + server = NULL; + code = krb5_cc_resolve (context, krb5_cc_default_name(context), &ccache); if (code != 0) { *minor_status = code; krb5_free_cred_contents(context, &my_creds); + krb5_free_principal(context, me); return (GSS_S_FAILURE); } code = krb5_cc_initialize (context, ccache, me); + krb5_free_principal(context, me); + me = NULL; if (code != 0) { *minor_status = code; krb5_free_cred_contents(context, &my_creds); @@ -981,13 +1679,13 @@ get_default_cred(OM_uint32 *minor_status, void *ct, gss_cred_id_t *cred_handle) /* If we can't get the time, assume the worst. */ if (krb5_timeofday(context, &now)) { - (void) krb5_gss_release_cred_no_lock(ct, &mntmp, cred_handle); + (void) krb5_gss_release_cred(&mntmp, cred_handle); return (GSS_S_CREDENTIALS_EXPIRED); } /* If root's cred has expired re-get it */ if (cred->tgt_expire < now + MIN_REFRESH_TIME && uid == ROOT_UID) { - (void) krb5_gss_release_cred_no_lock(ct, &mntmp, cred_handle); + (void) krb5_gss_release_cred(&mntmp, cred_handle); major = load_root_cred_using_keytab(minor_status, context, "root", 1); @@ -1010,7 +1708,7 @@ get_default_cred(OM_uint32 *minor_status, void *ct, gss_cred_id_t *cred_handle) /* Any body else is SOL unless we can renew their credential cache */ } else if ((cred->tgt_expire < now + MIN_RENEW_TIME) && (cred->tgt_expire > now)) { - (void) krb5_gss_release_cred_no_lock(ct, &mntmp, cred_handle); + (void) krb5_gss_release_cred(&mntmp, cred_handle); major = renew_ccache(minor_status, context, uid); if ((major != GSS_S_COMPLETE) && @@ -1030,617 +1728,4 @@ get_default_cred(OM_uint32 *minor_status, void *ct, gss_cred_id_t *cred_handle) return (GSS_S_COMPLETE); } -/* - * setup_enc - * - * Fill in the encryption descriptors. Called after AP-REQ is made. - */ -static OM_uint32 -setup_enc( - OM_uint32 *minor_status, - krb5_gss_ctx_id_rec *ctx, - krb5_context context) -{ - krb5_error_code code; - OM_uint32 ret = GSS_S_COMPLETE; - int i; - - ctx->have_acceptor_subkey = 0; - ctx->proto = 0; - ctx->cksumtype = 0; - - KRB5_LOG(KRB5_ERR, "setup_enc() enctype = %d\n", - ctx->subkey->enctype); - - switch(ctx->subkey->enctype) { - case ENCTYPE_DES_CBC_MD5: - case ENCTYPE_DES_CBC_MD4: - case ENCTYPE_DES_CBC_CRC: - ctx->subkey->enctype = ENCTYPE_DES_CBC_RAW; - ctx->signalg = SGN_ALG_DES_MAC_MD5; - ctx->cksum_size = 8; - ctx->sealalg = SEAL_ALG_DES; - - /* The encryption key is the session key XOR - 0xf0f0f0f0f0f0f0f0. */ - if ((code = krb5_copy_keyblock(context, ctx->subkey, &ctx->enc))) - goto fail; - - for (i=0; i<ctx->enc->length; i++) - ctx->enc->contents[i] ^= 0xf0; - - goto copy_subkey_to_seq; - - case ENCTYPE_DES3_CBC_SHA1: - /* MIT extension */ - ctx->subkey->enctype = ENCTYPE_DES3_CBC_RAW; - ctx->signalg = SGN_ALG_HMAC_SHA1_DES3_KD; - ctx->cksum_size = 20; - ctx->sealalg = SEAL_ALG_DES3KD; - - copy_subkey: - code = krb5_copy_keyblock (context, ctx->subkey, &ctx->enc); - if (code) - goto fail; - copy_subkey_to_seq: - code = krb5_copy_keyblock (context, ctx->subkey, &ctx->seq); - if (code) { - krb5_free_keyblock (context, ctx->enc); - goto fail; - } - break; - - case ENCTYPE_ARCFOUR_HMAC: - /* Microsoft extension */ - ctx->signalg = SGN_ALG_HMAC_MD5 ; - ctx->cksum_size = 8; - ctx->sealalg = SEAL_ALG_MICROSOFT_RC4 ; - - goto copy_subkey; - - default: - /* Fill some fields we shouldn't be using on this path - with garbage. */ - ctx->signalg = -10; - ctx->sealalg = -10; - - ctx->proto = 1; - code = krb5int_c_mandatory_cksumtype(context, ctx->subkey->enctype, - &ctx->cksumtype); - if (code) - goto fail; - code = krb5_c_checksum_length(context, ctx->cksumtype, - (size_t *)&ctx->cksum_size); - if (code) - goto fail; - goto copy_subkey; - } -fail: - if (code) { - *minor_status = code; - ret = GSS_S_FAILURE; - } -success: - return (ret); -} - -/* - * new_connection - * - * Do the grunt work of setting up a new context. - */ -static OM_uint32 -new_connection( - OM_uint32 *minor_status, - krb5_gss_cred_id_t cred, - gss_ctx_id_t *context_handle, - gss_name_t target_name, - gss_OID mech_type, - OM_uint32 req_flags, - OM_uint32 time_req, - gss_channel_bindings_t input_chan_bindings, - gss_buffer_t input_token, - gss_OID *actual_mech_type, - gss_buffer_t output_token, - OM_uint32 *ret_flags, - OM_uint32 *time_rec, - krb5_context context, - int default_mech) -{ - OM_uint32 major_status; - krb5_error_code code; - krb5_creds *k_cred; - krb5_gss_ctx_id_rec *ctx, *ctx_free; - krb5_timestamp now; - gss_buffer_desc token; - - major_status = GSS_S_FAILURE; - token.length = 0; - token.value = NULL; - - /* make sure the cred is usable for init */ - - if ((cred->usage != GSS_C_INITIATE) && - (cred->usage != GSS_C_BOTH)) { - *minor_status = 0; - return(GSS_S_NO_CRED); - } - - /* complain if the input token is non-null */ - - if (input_token != GSS_C_NO_BUFFER && input_token->length != 0) { - *minor_status = 0; - return(GSS_S_DEFECTIVE_TOKEN); - } - - /* create the ctx */ - - if ((ctx = (krb5_gss_ctx_id_rec *) xmalloc(sizeof(krb5_gss_ctx_id_rec))) - == NULL) { - *minor_status = ENOMEM; - return(GSS_S_FAILURE); - } - - /* fill in the ctx */ - memset(ctx, 0, sizeof(krb5_gss_ctx_id_rec)); - ctx_free = ctx; - if ((code = krb5_auth_con_init(context, &ctx->auth_context))) - goto fail; - krb5_auth_con_setflags(context, ctx->auth_context, - KRB5_AUTH_CONTEXT_DO_SEQUENCE); - ctx->initiate = 1; - ctx->gss_flags = (GSS_C_INTEG_FLAG | GSS_C_CONF_FLAG | - GSS_C_TRANS_FLAG | GSS_C_PROT_READY_FLAG | - ((req_flags) & (GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | - GSS_C_SEQUENCE_FLAG | GSS_C_DELEG_FLAG))); - ctx->seed_init = 0; - ctx->big_endian = 0; /* all initiators do little-endian, as per spec */ - ctx->seqstate = 0; - if ((code = krb5_timeofday(context, &now))) - goto fail; - - if (time_req == 0 || time_req == GSS_C_INDEFINITE) { - ctx->endtime = 0; - } else { - ctx->endtime = now + time_req; - } - - if ((code = krb5_copy_principal(context, cred->princ, &ctx->here))) - goto fail; - - if ((code = krb5_copy_principal(context, (krb5_principal) target_name, - &ctx->there))) - goto fail; - - code = get_credentials(context, cred, ctx->there, now, - ctx->endtime, &k_cred); - if (code) - goto fail; - - if (default_mech) { - mech_type = (gss_OID) gss_mech_krb5; - } - /* Solaris Kerberos: we allocate the memory for mech_used here - * because we store mech_used as a gss_OID and not a (gss_OID *) - */ - ctx->mech_used.elements = malloc(mech_type->length); - if ( (ctx->mech_used.elements) == NULL ) { - code = ENOMEM; - major_status = GSS_S_FAILURE; - goto fail; - } - ctx->mech_used.length = mech_type->length; - memcpy(ctx->mech_used.elements, mech_type->elements, mech_type->length); - - /* - * Now try to make it static if at all possible.... - */ - /* Solaris Kerberos: our mech_used is part of the ctx structure */ - /* ctx->mech_used = krb5_gss_convert_static_mech_oid(&(ctx->mech_used)); */ - { - /* gsskrb5 v1 */ - krb5_ui_4 seq_temp; - if ((code = make_ap_req_v1(context, ctx, - cred, k_cred, input_chan_bindings, - mech_type, &token))) { - if ((code == KRB5_FCC_NOFILE) || (code == KRB5_CC_NOTFOUND) || - (code == KG_EMPTY_CCACHE)) - major_status = GSS_S_NO_CRED; - if (code == KRB5KRB_AP_ERR_TKT_EXPIRED) - major_status = GSS_S_CREDENTIALS_EXPIRED; - goto fail; - } - - krb5_auth_con_getlocalseqnumber(context, ctx->auth_context, - (krb5_int32 *)&seq_temp); - ctx->seq_send = seq_temp; - krb5_auth_con_getsendsubkey(context, ctx->auth_context, - &ctx->subkey); - } - - major_status = setup_enc(minor_status, ctx, context); - - if (k_cred) { - krb5_free_creds(context, k_cred); - k_cred = 0; - } - - /* at this point, the context is constructed and valid, - hence, releaseable */ - - /* intern the context handle */ - - if (! kg_save_ctx_id((gss_ctx_id_t) ctx)) { - code = G_VALIDATE_FAILED; - goto fail; - } - *context_handle = (gss_ctx_id_t) ctx; - ctx_free = 0; - /* compute time_rec */ - if (time_rec) { - if ((code = krb5_timeofday(context, &now))) - goto fail; - *time_rec = ctx->endtime - now; - } - - /* set the other returns */ - *output_token = token; - - if (ret_flags) - *ret_flags = ctx->gss_flags; - - if (actual_mech_type) - *actual_mech_type = mech_type; - - /* return successfully */ - - *minor_status = 0; - if (ctx->gss_flags & GSS_C_MUTUAL_FLAG) { - ctx->established = 0; - return(GSS_S_CONTINUE_NEEDED); - } else { - ctx->seq_recv = ctx->seq_send; - g_order_init(&(ctx->seqstate), ctx->seq_recv, - (ctx->gss_flags & GSS_C_REPLAY_FLAG) != 0, - (ctx->gss_flags & GSS_C_SEQUENCE_FLAG) != 0, ctx->proto); - ctx->gss_flags |= GSS_C_PROT_READY_FLAG; - ctx->established = 1; - return(GSS_S_COMPLETE); - } - -fail: - if (ctx_free) { - if (ctx_free->auth_context) - krb5_auth_con_free(context, ctx_free->auth_context); - if (ctx_free->here) - krb5_free_principal(context, ctx_free->here); - if (ctx_free->there) - krb5_free_principal(context, ctx_free->there); - if (ctx_free->subkey) - krb5_free_keyblock(context, ctx_free->subkey); - xfree(ctx_free); - } else { - (void)krb5_gss_delete_sec_context_no_lock(context, minor_status, - context_handle, NULL); - } - - *minor_status = code; - return (major_status); -} - -/* - * mutual_auth - * - * Handle the reply from the acceptor, if we're doing mutual auth. - */ -static OM_uint32 -mutual_auth( - OM_uint32 *minor_status, - krb5_gss_cred_id_t cred, - gss_ctx_id_t *context_handle, - gss_name_t target_name, - gss_OID mech_type, - OM_uint32 req_flags, - OM_uint32 time_req, - gss_channel_bindings_t input_chan_bindings, - gss_buffer_t input_token, - gss_OID *actual_mech_type, - gss_buffer_t output_token, - OM_uint32 *ret_flags, - OM_uint32 *time_rec, - krb5_context context) -{ - OM_uint32 major_status; - unsigned char *ptr; - char *sptr; - krb5_data ap_rep; - krb5_ap_rep_enc_part *ap_rep_data; - krb5_timestamp now; - krb5_gss_ctx_id_rec *ctx; - krb5_error *krb_error; - krb5_error_code code; - - major_status = GSS_S_FAILURE; - - /* validate the context handle */ - /*SUPPRESS 29*/ - if (! kg_validate_ctx_id(*context_handle)) { - *minor_status = (OM_uint32) G_VALIDATE_FAILED; - return(GSS_S_NO_CONTEXT); - } - - ctx = (krb5_gss_ctx_id_rec *) *context_handle; - - /* make sure the context is non-established, and that certain - arguments are unchanged */ - - if ((ctx->established) || - ((ctx->gss_flags & GSS_C_MUTUAL_FLAG) == 0)) { - code = KG_CONTEXT_ESTABLISHED; - goto fail; - } - - if (! krb5_principal_compare(context, ctx->there, - (krb5_principal) target_name)) { - (void)krb5_gss_delete_sec_context_no_lock(context, minor_status, - context_handle, NULL); - code = 0; - major_status = GSS_S_BAD_NAME; - goto fail; - } - - /* verify the token and leave the AP_REP message in ap_rep */ - - if (input_token == GSS_C_NO_BUFFER) { - (void)krb5_gss_delete_sec_context_no_lock(context, minor_status, - context_handle, NULL); - code = 0; - major_status = GSS_S_DEFECTIVE_TOKEN; - goto fail; - } - - ptr = (unsigned char *) input_token->value; - - if (g_verify_token_header(&ctx->mech_used, - (uint32_t *)&(ap_rep.length), - &ptr, KG_TOK_CTX_AP_REP, - input_token->length, 1)) { - if (g_verify_token_header(&ctx->mech_used, - (uint32_t *)&(ap_rep.length), - &ptr, KG_TOK_CTX_ERROR, - input_token->length, 1) == 0) { - - /* Handle a KRB_ERROR message from the server */ - - sptr = (char *) ptr; /* PC compiler bug */ - TREAD_STR(sptr, ap_rep.data, ap_rep.length); - - code = krb5_rd_error(context, &ap_rep, &krb_error); - if (code) - goto fail; - if (krb_error->error) - code = krb_error->error + ERROR_TABLE_BASE_krb5; - else - code = 0; - krb5_free_error(context, krb_error); - goto fail; - } else { - *minor_status = 0; - return(GSS_S_DEFECTIVE_TOKEN); - } - } - - sptr = (char *) ptr; /* PC compiler bug */ - TREAD_STR(sptr, ap_rep.data, ap_rep.length); - - /* decode the ap_rep */ - if ((code = krb5_rd_rep(context, ctx->auth_context, &ap_rep, - &ap_rep_data))) { - /* - * XXX A hack for backwards compatiblity. - * To be removed in 1999 -- proven - */ - krb5_auth_con_setuseruserkey(context, ctx->auth_context, - ctx->subkey); - if ((krb5_rd_rep(context, ctx->auth_context, &ap_rep, - &ap_rep_data))) - goto fail; - } - - /* store away the sequence number */ - ctx->seq_recv = ap_rep_data->seq_number; - g_order_init(&(ctx->seqstate), ctx->seq_recv, - (ctx->gss_flags & GSS_C_REPLAY_FLAG) != 0, - (ctx->gss_flags & GSS_C_SEQUENCE_FLAG) !=0, ctx->proto); - - if (ctx->proto == 1 && ap_rep_data->subkey) { - /* Keep acceptor's subkey. */ - ctx->have_acceptor_subkey = 1; - code = krb5_copy_keyblock(context, ap_rep_data->subkey, - &ctx->acceptor_subkey); - if (code) - goto fail; - code = krb5int_c_mandatory_cksumtype(context, - ctx->acceptor_subkey->enctype, - &ctx->acceptor_subkey_cksumtype); - if (code) - goto fail; - } - - /* free the ap_rep_data */ - krb5_free_ap_rep_enc_part(context, ap_rep_data); - - /* set established */ - ctx->established = 1; - - /* set returns */ - - if (time_rec) { - if ((code = krb5_timeofday(context, &now))) - goto fail; - *time_rec = ctx->endtime - now; - } - if (ret_flags) - *ret_flags = ctx->gss_flags; - - if (actual_mech_type) - *actual_mech_type = mech_type; - - /* success */ - - *minor_status = 0; - return GSS_S_COMPLETE; - -fail: - (void)krb5_gss_delete_sec_context_no_lock(context, minor_status, - context_handle, NULL); - - *minor_status = code; - return (major_status); -} - -/* - * krb5_gss_init_sec_context - * This has been broken up into smaller chunks for CFX support. - * MIT KRB5 1.3.2 - */ -OM_uint32 -krb5_gss_init_sec_context(ct, minor_status, claimant_cred_handle, - context_handle, target_name, mech_type, - req_flags, time_req, input_chan_bindings, - input_token, actual_mech_type, output_token, - ret_flags, time_rec) - void *ct; - OM_uint32 *minor_status; - gss_cred_id_t claimant_cred_handle; - gss_ctx_id_t *context_handle; - gss_name_t target_name; - gss_OID mech_type; - OM_uint32 req_flags; - OM_uint32 time_req; - gss_channel_bindings_t input_chan_bindings; - gss_buffer_t input_token; - gss_OID *actual_mech_type; - gss_buffer_t output_token; - OM_uint32 *ret_flags; - OM_uint32 *time_rec; -{ - krb5_context context; - krb5_gss_cred_id_t cred = NULL; - int err; - int default_mech = 0; - OM_uint32 major_status; - OM_uint32 tmp_min_stat; - - /* Solaris Kerberos: for MT safety, we avoid the use of a default - * context via kg_get_context() */ -#if 0 - if (GSS_ERROR(kg_get_context(minor_status, &context))) - return(GSS_S_FAILURE); -#endif - - KRB5_LOG0(KRB5_INFO, "krb5_gss_init_sec_context() start\n"); - - mutex_lock(&krb5_mutex); - context = ct; - - /* set up return values so they can be "freed" successfully */ - - major_status = GSS_S_FAILURE; /* Default major code */ - output_token->length = 0; - output_token->value = NULL; - if (actual_mech_type) - *actual_mech_type = NULL; - - /* verify that the target_name is valid and usable */ - - if (! kg_validate_name(target_name)) { - *minor_status = (OM_uint32) G_VALIDATE_FAILED; - major_status = (GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME); - goto unlock; - } - - /* verify the credential, or use the default */ - /*SUPPRESS 29*/ - if (claimant_cred_handle == GSS_C_NO_CREDENTIAL) { - /* - * Solaris Kerberos: here we are using the Solaris specific - * function get_default_cred() to handle the special case of a - * root principal - */ - major_status = get_default_cred(minor_status, ct, (gss_cred_id_t *)&cred); - if (major_status && GSS_ERROR(major_status)) { - KRB5_LOG(KRB5_ERR, "krb5_gss_init_sec_context() end, error " - "major_status = %d\n", major_status); - goto unlock; - } - } else { - major_status = krb5_gss_validate_cred_no_lock(ct, minor_status, - claimant_cred_handle); - if (GSS_ERROR(major_status)) { - KRB5_LOG(KRB5_ERR, "krb5_gss_init_sec_context() end, error " - "major_status = %d\n", major_status); - goto unlock; - } - cred = (krb5_gss_cred_id_t) claimant_cred_handle; - } - - /* verify the mech_type */ - - err = 0; - if (mech_type == GSS_C_NULL_OID) { - default_mech = 1; - if (cred->rfc_mech) { - mech_type = (gss_OID) gss_mech_krb5; - } else if (cred->prerfc_mech) { - mech_type = (gss_OID) gss_mech_krb5_old; - } else { - err = 1; - } - } else if (g_OID_equal(mech_type, gss_mech_krb5)) { - if (!cred->rfc_mech) - err = 1; - } else if (g_OID_equal(mech_type, gss_mech_krb5_old)) { - if (!cred->prerfc_mech) - err = 1; - } else { - err = 1; - } - - if (err) { - *minor_status = 0; - major_status = GSS_S_BAD_MECH; - goto unlock; - } - - /* is this a new connection or not? */ - - /*SUPPRESS 29*/ - if (*context_handle == GSS_C_NO_CONTEXT) { - major_status = new_connection(minor_status, cred, context_handle, - target_name, mech_type, req_flags, - time_req, input_chan_bindings, - input_token, actual_mech_type, - output_token, ret_flags, time_rec, - context, default_mech); - } else { - major_status = mutual_auth(minor_status, cred, context_handle, - target_name, mech_type, req_flags, - time_req, input_chan_bindings, - input_token, actual_mech_type, - output_token, ret_flags, time_rec, - context); - } - -unlock: - if (claimant_cred_handle == GSS_C_NO_CREDENTIAL && cred != NULL) - krb5_gss_release_cred_no_lock(context, &tmp_min_stat, (gss_cred_id_t *)cred); - - mutex_unlock(&krb5_mutex); - - KRB5_LOG1(KRB5_ERR, "krb5_gss_init_sec_context() end, error " - "major_status = %d, minor_status = %d\n", - major_status, *minor_status); - - return (major_status); -} +/* Solaris Kerberos specific routines end */ diff --git a/usr/src/lib/gss_mechs/mech_krb5/mech/inq_context.c b/usr/src/lib/gss_mechs/mech_krb5/mech/inq_context.c index 7e0348c3f2..aabc0db90a 100644 --- a/usr/src/lib/gss_mechs/mech_krb5/mech/inq_context.c +++ b/usr/src/lib/gss_mechs/mech_krb5/mech/inq_context.c @@ -1,13 +1,8 @@ -/* - * Copyright 2002 Sun Microsystems, Inc. All rights reserved. - * Use is subject to license terms. - */ - #pragma ident "%Z%%M% %I% %E% SMI" /* * Copyright 1993 by OpenVision Technologies, Inc. - * + * * Permission to use, copy, modify, distribute, and sell this software * and its documentation for any purpose is hereby granted without fee, * provided that the above copyright notice appears in all copies and @@ -17,7 +12,7 @@ * without specific, written prior permission. OpenVision makes no * representations about the suitability of this software for any * purpose. It is provided "as is" without express or implied warranty. - * + * * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR @@ -27,13 +22,12 @@ * PERFORMANCE OF THIS SOFTWARE. */ -#include <gssapiP_krb5.h> +#include "gssapiP_krb5.h" OM_uint32 -krb5_gss_inquire_context(ct, minor_status, context_handle, initiator_name, +krb5_gss_inquire_context(minor_status, context_handle, initiator_name, acceptor_name, lifetime_rec, mech_type, ret_flags, locally_initiated, open) - void *ct; OM_uint32 *minor_status; gss_ctx_id_t context_handle; gss_name_t *initiator_name; @@ -51,16 +45,6 @@ krb5_gss_inquire_context(ct, minor_status, context_handle, initiator_name, krb5_timestamp now; krb5_deltat lifetime; - /* Solaris Kerberos: for MT safety, we avoid the use of a default - * context via kg_get_context() */ -#if 0 - if (GSS_ERROR(kg_get_context(minor_status, &context))) - return(GSS_S_FAILURE); -#endif - - mutex_lock(&krb5_mutex); - context = ct; - if (initiator_name) *initiator_name = (gss_name_t) NULL; if (acceptor_name) @@ -69,7 +53,6 @@ krb5_gss_inquire_context(ct, minor_status, context_handle, initiator_name, /* validate the context handle */ if (! kg_validate_ctx_id(context_handle)) { *minor_status = (OM_uint32) G_VALIDATE_FAILED; - mutex_unlock(&krb5_mutex); return(GSS_S_NO_CONTEXT); } @@ -77,16 +60,15 @@ krb5_gss_inquire_context(ct, minor_status, context_handle, initiator_name, if (! ctx->established) { *minor_status = KG_CTX_INCOMPLETE; - mutex_unlock(&krb5_mutex); return(GSS_S_NO_CONTEXT); } init = NULL; accept = NULL; + context = ctx->k5_context; - if (code = krb5_timeofday(context, &now)) { + if ((code = krb5_timeofday(context, &now))) { *minor_status = code; - mutex_unlock(&krb5_mutex); return(GSS_S_FAILURE); } @@ -94,28 +76,25 @@ krb5_gss_inquire_context(ct, minor_status, context_handle, initiator_name, lifetime = 0; if (initiator_name) { - if (code = krb5_copy_principal(context, - ctx->initiate?ctx->here:ctx->there, - &init)) { + if ((code = krb5_copy_principal(context, + ctx->initiate?ctx->here:ctx->there, + &init))) { *minor_status = code; - mutex_unlock(&krb5_mutex); return(GSS_S_FAILURE); } if (! kg_save_name((gss_name_t) init)) { krb5_free_principal(context, init); *minor_status = (OM_uint32) G_VALIDATE_FAILED; - mutex_unlock(&krb5_mutex); return(GSS_S_FAILURE); } } if (acceptor_name) { - if (code = krb5_copy_principal(context, - ctx->initiate?ctx->there:ctx->here, - &accept)) { + if ((code = krb5_copy_principal(context, + ctx->initiate?ctx->there:ctx->here, + &accept))) { if (init) krb5_free_principal(context, init); *minor_status = code; - mutex_unlock(&krb5_mutex); return(GSS_S_FAILURE); } if (! kg_save_name((gss_name_t) accept)) { @@ -125,7 +104,6 @@ krb5_gss_inquire_context(ct, minor_status, context_handle, initiator_name, krb5_free_principal(context, init); } *minor_status = (OM_uint32) G_VALIDATE_FAILED; - mutex_unlock(&krb5_mutex); return(GSS_S_FAILURE); } } @@ -140,8 +118,7 @@ krb5_gss_inquire_context(ct, minor_status, context_handle, initiator_name, *lifetime_rec = lifetime; if (mech_type) - *mech_type = &(ctx->mech_used); - + *mech_type = (gss_OID) ctx->mech_used; if (ret_flags) *ret_flags = ctx->gss_flags; @@ -153,6 +130,5 @@ krb5_gss_inquire_context(ct, minor_status, context_handle, initiator_name, *open = ctx->established; *minor_status = 0; - mutex_unlock(&krb5_mutex); return((lifetime == 0)?GSS_S_CONTEXT_EXPIRED:GSS_S_COMPLETE); } diff --git a/usr/src/lib/gss_mechs/mech_krb5/mech/inq_cred.c b/usr/src/lib/gss_mechs/mech_krb5/mech/inq_cred.c index a4a54438e8..9460971297 100644 --- a/usr/src/lib/gss_mechs/mech_krb5/mech/inq_cred.c +++ b/usr/src/lib/gss_mechs/mech_krb5/mech/inq_cred.c @@ -1,8 +1,3 @@ -/* - * Copyright 2007 Sun Microsystems, Inc. All rights reserved. - * Use is subject to license terms. - */ - #pragma ident "%Z%%M% %I% %E% SMI" /* @@ -13,7 +8,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -27,11 +22,11 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * */ /* * Copyright 1993 by OpenVision Technologies, Inc. - * + * * Permission to use, copy, modify, distribute, and sell this software * and its documentation for any purpose is hereby granted without fee, * provided that the above copyright notice appears in all copies and @@ -41,7 +36,7 @@ * without specific, written prior permission. OpenVision makes no * representations about the suitability of this software for any * purpose. It is provided "as is" without express or implied warranty. - * + * * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR @@ -53,14 +48,14 @@ /* * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -71,44 +66,18 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. */ -#include <gssapiP_krb5.h> -#include <k5-int.h> - -extern OM_uint32 gss_copy_oid_set(); -extern OM_uint32 gss_create_empty_oid_set(); -extern OM_uint32 gss_add_oid_set_member(); - +#include "gssapiP_krb5.h" +#include "mglueP.h" OM_uint32 -krb5_gss_inquire_cred(ctx, minor_status, cred_handle, name, lifetime_ret, +krb5_gss_inquire_cred(minor_status, cred_handle, name, lifetime_ret, cred_usage, mechanisms) - void *ctx; - OM_uint32 *minor_status; - gss_cred_id_t cred_handle; - gss_name_t *name; - OM_uint32 *lifetime_ret; - gss_cred_usage_t *cred_usage; - gss_OID_set *mechanisms; -{ - OM_uint32 ret; - - mutex_lock(&krb5_mutex); - ret = krb5_gss_inquire_cred_no_lock(ctx, minor_status, cred_handle, name, - lifetime_ret, cred_usage, mechanisms); - mutex_unlock(&krb5_mutex); - return(ret); -} - -OM_uint32 -krb5_gss_inquire_cred_no_lock(ctx, minor_status, cred_handle, name, - lifetime_ret, cred_usage, mechanisms) - void *ctx; OM_uint32 *minor_status; gss_cred_id_t cred_handle; gss_name_t *name; @@ -122,17 +91,17 @@ krb5_gss_inquire_cred_no_lock(ctx, minor_status, cred_handle, name, krb5_timestamp now; krb5_deltat lifetime; krb5_principal ret_name; - gss_OID_set mechs = GSS_C_NULL_OID_SET; + gss_OID_set mechs; OM_uint32 ret; - /* Solaris Kerberos: for MT safety, we avoid the use of a default - * context via kg_get_context() */ -#if 0 - if (GSS_ERROR(kg_get_context(minor_status, &context))) - return(GSS_S_FAILURE); -#endif + ret = GSS_S_FAILURE; + ret_name = NULL; - context = ctx; + code = krb5_gss_init_context(&context); + if (code) { + *minor_status = code; + return GSS_S_FAILURE; + } if (name) *name = NULL; if (mechanisms) *mechanisms = NULL; @@ -141,27 +110,35 @@ krb5_gss_inquire_cred_no_lock(ctx, minor_status, cred_handle, name, /*SUPPRESS 29*/ if (cred_handle == GSS_C_NO_CREDENTIAL) { OM_uint32 major; - if (((major = kg_get_defcred(minor_status, &cred_handle)) != NULL) && + + if ((major = kg_get_defcred(minor_status, (gss_cred_id_t *)&cred)) && GSS_ERROR(major)) { + krb5_free_context(context); return(major); } } else { OM_uint32 major; - - major = krb5_gss_validate_cred_no_lock(context, minor_status, - cred_handle); + + major = krb5_gss_validate_cred(minor_status, cred_handle); if (GSS_ERROR(major)) { + krb5_free_context(context); return(major); } + cred = (krb5_gss_cred_id_t) cred_handle; } - cred = (krb5_gss_cred_id_t) cred_handle; - if ((code = krb5_timeofday(context, &now))) { *minor_status = code; - return(GSS_S_FAILURE); + ret = GSS_S_FAILURE; + goto fail; } + code = k5_mutex_lock(&cred->lock); + if (code != 0) { + *minor_status = code; + ret = GSS_S_FAILURE; + goto fail; + } if (cred->tgt_expire > 0) { if ((lifetime = cred->tgt_expire - now) < 0) lifetime = 0; @@ -170,43 +147,50 @@ krb5_gss_inquire_cred_no_lock(ctx, minor_status, cred_handle, name, lifetime = GSS_C_INDEFINITE; if (name) { - if (cred->princ && - (code = krb5_copy_principal(context, cred->princ, &ret_name))) { + if (cred->princ && + (code = krb5_copy_principal(context, cred->princ, &ret_name))) { + k5_mutex_unlock(&cred->lock); *minor_status = code; - return(GSS_S_FAILURE); + ret = GSS_S_FAILURE; + goto fail; } } if (mechanisms) { - if (GSS_ERROR(ret = gss_create_empty_oid_set(minor_status, + if (GSS_ERROR(ret = generic_gss_create_empty_oid_set(minor_status, &mechs)) || (cred->prerfc_mech && - GSS_ERROR(ret = gss_add_oid_set_member(minor_status, - (gss_OID) gss_mech_krb5_old, + GSS_ERROR(ret = generic_gss_add_oid_set_member(minor_status, + (const gss_OID) gss_mech_krb5_old, &mechs))) || (cred->rfc_mech && - GSS_ERROR(ret = gss_add_oid_set_member(minor_status, - (gss_OID) gss_mech_krb5, + GSS_ERROR(ret = generic_gss_add_oid_set_member(minor_status, + (const gss_OID) gss_mech_krb5, &mechs)))) { - krb5_free_principal(context, ret_name); + k5_mutex_unlock(&cred->lock); + if (ret_name) + krb5_free_principal(context, ret_name); /* *minor_status set above */ - return(ret); + goto fail; } } - /* Solaris Kerberos: - * Don't set name to ret_name if cred->princ is NULL. - * If cred->princ is NULL, ret_name is uninitialized and - * name already points to NULL. - */ - if (name && cred->princ) { - if (! kg_save_name((gss_name_t) ret_name)) { + if (name) { + if (ret_name != NULL && ! kg_save_name((gss_name_t) ret_name)) { + k5_mutex_unlock(&cred->lock); + if (cred_handle == GSS_C_NO_CREDENTIAL) + krb5_gss_release_cred(minor_status, (gss_cred_id_t *)&cred); + (void) gss_release_oid_set(minor_status, &mechs); krb5_free_principal(context, ret_name); *minor_status = (OM_uint32) G_VALIDATE_FAILED; + krb5_free_context(context); return(GSS_S_FAILURE); } - *name = (gss_name_t) ret_name; + if (ret_name != NULL) + *name = (gss_name_t) ret_name; + else + *name = GSS_C_NO_NAME; } if (lifetime_ret) @@ -214,20 +198,32 @@ krb5_gss_inquire_cred_no_lock(ctx, minor_status, cred_handle, name, if (cred_usage) *cred_usage = cred->usage; + k5_mutex_unlock(&cred->lock); if (mechanisms) *mechanisms = mechs; + if (cred_handle == GSS_C_NO_CREDENTIAL) + krb5_gss_release_cred(minor_status, (gss_cred_id_t *)&cred); + + krb5_free_context(context); *minor_status = 0; return((lifetime == 0)?GSS_S_CREDENTIALS_EXPIRED:GSS_S_COMPLETE); +fail: + if (cred_handle == GSS_C_NO_CREDENTIAL) { + OM_uint32 tmp_min_stat; + + krb5_gss_release_cred(&tmp_min_stat, (gss_cred_id_t *)&cred); + } + krb5_free_context(context); + return ret; } /* V2 interface */ OM_uint32 -krb5_gss_inquire_cred_by_mech(ctx, minor_status, cred_handle, +krb5_gss_inquire_cred_by_mech(minor_status, cred_handle, mech_type, name, initiator_lifetime, acceptor_lifetime, cred_usage) - void *ctx; OM_uint32 *minor_status; gss_cred_id_t cred_handle; gss_OID mech_type; @@ -236,35 +232,22 @@ krb5_gss_inquire_cred_by_mech(ctx, minor_status, cred_handle, OM_uint32 *acceptor_lifetime; gss_cred_usage_t *cred_usage; { - krb5_context context; krb5_gss_cred_id_t cred; OM_uint32 lifetime; OM_uint32 mstat; - /* Solaris Kerberos: for MT safety, we avoid the use of a default - * context via kg_get_context() */ -#if 0 - if (GSS_ERROR(kg_get_context(minor_status, &context))) - return(GSS_S_FAILURE); -#endif - - mutex_lock(&krb5_mutex); - context = ctx; - /* * We only know how to handle our own creds. */ if ((mech_type != GSS_C_NULL_OID) && !g_OID_equal(gss_mech_krb5_old, mech_type) && - !g_OID_equal(gss_mech_krb5, mech_type) && - !g_OID_equal(gss_mech_krb5_v2, mech_type)) { + !g_OID_equal(gss_mech_krb5, mech_type)) { *minor_status = 0; - mutex_unlock(&krb5_mutex); return(GSS_S_NO_CRED); } cred = (krb5_gss_cred_id_t) cred_handle; - mstat = krb5_gss_inquire_cred_no_lock(context, minor_status, + mstat = krb5_gss_inquire_cred(minor_status, cred_handle, name, &lifetime, @@ -282,6 +265,6 @@ krb5_gss_inquire_cred_by_mech(ctx, minor_status, cred_handle, acceptor_lifetime) *acceptor_lifetime = lifetime; } - mutex_unlock(&krb5_mutex); return(mstat); } + diff --git a/usr/src/lib/gss_mechs/mech_krb5/mech/inq_names.c b/usr/src/lib/gss_mechs/mech_krb5/mech/inq_names.c index 33387e7304..e5fbfa5b87 100644 --- a/usr/src/lib/gss_mechs/mech_krb5/mech/inq_names.c +++ b/usr/src/lib/gss_mechs/mech_krb5/mech/inq_names.c @@ -1,8 +1,3 @@ -/* - * Copyright 2002-2003 Sun Microsystems, Inc. All rights reserved. - * Use is subject to license terms. - */ - #pragma ident "%Z%%M% %I% %E% SMI" /* @@ -35,36 +30,24 @@ /* * inq_names.c - Return set of nametypes supported by the KRB5 mechanism. */ -#include <gssapiP_krb5.h> +#include "gssapiP_krb5.h" +#include "mglueP.h" -/*ARGSUSED*/ OM_uint32 -krb5_gss_inquire_names_for_mech(ctx, minor_status, mechanism, name_types) - void *ctx; +krb5_gss_inquire_names_for_mech(minor_status, mechanism, name_types) OM_uint32 *minor_status; gss_OID mechanism; gss_OID_set *name_types; { OM_uint32 major, minor; - /* Solaris Kerberos: for MT safety, we avoid the use of a default - * context via kg_get_context() */ -#if 0 - if (GSS_ERROR(kg_get_context(minor_status, &context))) - return(GSS_S_FAILURE); -#endif - - mutex_lock(&krb5_mutex); - /* * We only know how to handle our own mechanism. */ if ((mechanism != GSS_C_NULL_OID) && - !g_OID_equal(gss_mech_krb5_v2, mechanism) && !g_OID_equal(gss_mech_krb5, mechanism) && !g_OID_equal(gss_mech_krb5_old, mechanism)) { *minor_status = 0; - mutex_unlock(&krb5_mutex); return(GSS_S_BAD_MECH); } @@ -73,40 +56,38 @@ krb5_gss_inquire_names_for_mech(ctx, minor_status, mechanism, name_types) if (major == GSS_S_COMPLETE) { /* Now add our members. */ if ( - /* The following are GSS specified nametypes */ - ((major = gss_add_oid_set_member(minor_status, - (gss_OID) GSS_C_NT_USER_NAME, - name_types) + ((major = generic_gss_add_oid_set_member(minor_status, + gss_nt_user_name, + name_types) ) == GSS_S_COMPLETE) && - ((major = gss_add_oid_set_member(minor_status, - (gss_OID) GSS_C_NT_MACHINE_UID_NAME, - name_types) + ((major = generic_gss_add_oid_set_member(minor_status, + gss_nt_machine_uid_name, + name_types) ) == GSS_S_COMPLETE) && - ((major = gss_add_oid_set_member(minor_status, - (gss_OID) GSS_C_NT_STRING_UID_NAME, - name_types) + ((major = generic_gss_add_oid_set_member(minor_status, + gss_nt_string_uid_name, + name_types) ) == GSS_S_COMPLETE) && - ((major = gss_add_oid_set_member(minor_status, - (gss_OID) GSS_C_NT_HOSTBASED_SERVICE, - name_types) + ((major = generic_gss_add_oid_set_member(minor_status, + gss_nt_service_name, + name_types) ) == GSS_S_COMPLETE) && - /* The following are kerberos only nametypes */ - ((major = gss_add_oid_set_member(minor_status, - (gss_OID) gss_nt_service_name_v2, - name_types) + ((major = generic_gss_add_oid_set_member(minor_status, + gss_nt_service_name_v2, + name_types) ) == GSS_S_COMPLETE) && - ((major = gss_add_oid_set_member(minor_status, - (gss_OID) gss_nt_exported_name, - name_types) + ((major = generic_gss_add_oid_set_member(minor_status, + gss_nt_exported_name, + name_types) ) == GSS_S_COMPLETE) && - ((major = gss_add_oid_set_member(minor_status, - (gss_OID) gss_nt_krb5_name, - name_types) + ((major = generic_gss_add_oid_set_member(minor_status, + (const gss_OID) gss_nt_krb5_name, + name_types) ) == GSS_S_COMPLETE) ) { - major = gss_add_oid_set_member(minor_status, - (gss_OID) gss_nt_krb5_principal, - name_types); + major = generic_gss_add_oid_set_member(minor_status, + (const gss_OID) gss_nt_krb5_principal, + name_types); } /* @@ -117,6 +98,5 @@ krb5_gss_inquire_names_for_mech(ctx, minor_status, mechanism, name_types) (void) gss_release_oid_set(&minor, name_types); } - mutex_unlock(&krb5_mutex); return(major); } diff --git a/usr/src/lib/gss_mechs/mech_krb5/mech/k5mech.c b/usr/src/lib/gss_mechs/mech_krb5/mech/k5mech.c deleted file mode 100644 index 5d0e1e386d..0000000000 --- a/usr/src/lib/gss_mechs/mech_krb5/mech/k5mech.c +++ /dev/null @@ -1,148 +0,0 @@ -/* - * Copyright 2005 Sun Microsystems, Inc. All rights reserved. - * Use is subject to license terms. - */ - -#pragma ident "%Z%%M% %I% %E% SMI" - -/* - * XXX: I know where to find this header, but it really is using a - * private interface. I dont want to export the gss_mechanism - * structure, so I hide it in a non-published header. Thats ok, - * we know where to find it. - */ -#include <mechglueP.h> - -#include <gssapiP_krb5.h> -#include <syslog.h> -#include <libintl.h> -/* - * These are the extern declarations, one group per mechanism. They are - * contained in the files named <mech>_gssd_extern_srvr.conf. - */ - -static OM_uint32 -krb5_gss_get_context - PROTOTYPE((void**)); - -/* - * This is the declaration of the mechs_array table for Kerberos V5. - * If the gss_mechanism structure changes, so should this array! I - * told you it was a private interface! - */ - -static struct gss_config krb5_mechanism = { - {9, "\052\206\110\206\367\022\001\002\002"}, - 0, /* context, to be filled */ - krb5_gss_acquire_cred, - krb5_gss_release_cred, - krb5_gss_init_sec_context, - krb5_gss_accept_sec_context, -/* EXPORT DELETE START */ /* CRYPT DELETE START */ - krb5_gss_unseal, -/* EXPORT DELETE END */ /* CRYPT DELETE END */ - krb5_gss_process_context_token, - krb5_gss_delete_sec_context, - krb5_gss_context_time, - krb5_gss_display_status, - krb5_gss_indicate_mechs, - krb5_gss_compare_name, - krb5_gss_display_name, - krb5_gss_import_name, - krb5_gss_release_name, - krb5_gss_inquire_cred, - krb5_gss_add_cred, -/* EXPORT DELETE START */ /* CRYPT DELETE START */ - krb5_gss_seal, -/* EXPORT DELETE END */ /* CRYPT DELETE END */ - krb5_gss_export_sec_context, - krb5_gss_import_sec_context, - krb5_gss_inquire_cred_by_mech, - krb5_gss_inquire_names_for_mech, - krb5_gss_inquire_context, - krb5_gss_internal_release_oid, - krb5_gss_wrap_size_limit, - krb5_pname_to_uid, - krb5_gss_userok, - NULL, /* export_name */ -/* EXPORT DELETE START */ -/* CRYPT DELETE START */ -#if 0 -/* CRYPT DELETE END */ - krb5_gss_seal, - krb5_gss_unseal, -/* CRYPT DELETE START */ -#endif -/* CRYPT DELETE END */ -/* EXPORT DELETE END */ - krb5_gss_sign, - krb5_gss_verify, - krb5_gss_store_cred, - }; - -#include <k5-int.h> - - -OM_uint32 -krb5_gss_get_context(context) -void ** context; -{ - /* Solaris Kerberos: the following is a global variable declared - * and initialized in gssapi_krb5.c */ - /* static krb5_context kg_context = NULL; */ - krb5_error_code errCode = 0; - - if (context == NULL) - return (GSS_S_FAILURE); - if (kg_context) { - *context = kg_context; - return (GSS_S_COMPLETE); - } - - if ((errCode = krb5_init_context(&kg_context))) - goto error; - - if (((errCode = krb5_ser_context_init(kg_context)) != 0) || - ((errCode = krb5_ser_auth_context_init(kg_context)) != 0) || - ((errCode = krb5_ser_ccache_init(kg_context)) != 0) || - ((errCode = krb5_ser_rcache_init(kg_context)) != 0) || - ((errCode = krb5_ser_keytab_init(kg_context)) != 0) || - ((errCode = krb5_ser_context_init(kg_context)) != 0)) { - krb5_free_context(kg_context); - kg_context = 0; - goto error; - } - - *context = kg_context; - return (GSS_S_COMPLETE); - -error: - if (errCode != 0) { - syslog(LOG_ERR, - dgettext(TEXT_DOMAIN, - - "Kerberos mechanism library" - " initialization error: %s."), - error_message((long)errCode)); - } - return (GSS_S_FAILURE); -} - -/* - * entry point for the gss layer, - * called "krb5_gss_initialize()" in MIT 1.2.1 - */ -gss_mechanism -gss_mech_initialize(oid) -const gss_OID oid; -{ - /* ensure that the requested oid matches our oid */ - if (oid == NULL || !g_OID_equal(oid, &krb5_mechanism.mech_type)) - return (NULL); - - if (krb5_gss_get_context(&(krb5_mechanism.context)) != - GSS_S_COMPLETE) - return (NULL); - - return (&krb5_mechanism); -} diff --git a/usr/src/lib/gss_mechs/mech_krb5/mech/krb5_gss_glue.c b/usr/src/lib/gss_mechs/mech_krb5/mech/krb5_gss_glue.c new file mode 100644 index 0000000000..a63be60ffd --- /dev/null +++ b/usr/src/lib/gss_mechs/mech_krb5/mech/krb5_gss_glue.c @@ -0,0 +1,1369 @@ +/* + * Copyright 2007 Sun Microsystems, Inc. All rights reserved. + * Use is subject to license terms. + */ + +#pragma ident "%Z%%M% %I% %E% SMI" + +/* + * Copyright 1993 by OpenVision Technologies, Inc. + * + * Permission to use, copy, modify, distribute, and sell this software + * and its documentation for any purpose is hereby granted without fee, + * provided that the above copyright notice appears in all copies and + * that both that copyright notice and this permission notice appear in + * supporting documentation, and that the name of OpenVision not be used + * in advertising or publicity pertaining to distribution of the software + * without specific, written prior permission. OpenVision makes no + * representations about the suitability of this software for any + * purpose. It is provided "as is" without express or implied warranty. + * + * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, + * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO + * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR + * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF + * USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR + * OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +/* + * $Id: krb5_gss_glue.c 18268 2006-06-29 19:44:34Z tlyu $ + */ + +#include "gssapiP_krb5.h" +#include "mglueP.h" +#include <syslog.h> + +/** mechglue wrappers **/ + +static OM_uint32 k5glue_acquire_cred +(void *, OM_uint32*, /* minor_status */ + gss_name_t, /* desired_name */ + OM_uint32, /* time_req */ + gss_OID_set, /* desired_mechs */ + gss_cred_usage_t, /* cred_usage */ + gss_cred_id_t*, /* output_cred_handle */ + gss_OID_set*, /* actual_mechs */ + OM_uint32* /* time_rec */ + ); + +static OM_uint32 k5glue_release_cred +(void *, OM_uint32*, /* minor_status */ + gss_cred_id_t* /* cred_handle */ + ); + +static OM_uint32 k5glue_init_sec_context +(void *, OM_uint32*, /* minor_status */ + gss_cred_id_t, /* claimant_cred_handle */ + gss_ctx_id_t*, /* context_handle */ + gss_name_t, /* target_name */ + gss_OID, /* mech_type */ + OM_uint32, /* req_flags */ + OM_uint32, /* time_req */ + gss_channel_bindings_t, + /* input_chan_bindings */ + gss_buffer_t, /* input_token */ + gss_OID*, /* actual_mech_type */ + gss_buffer_t, /* output_token */ + OM_uint32*, /* ret_flags */ + OM_uint32* /* time_rec */ + ); + +static OM_uint32 k5glue_accept_sec_context +(void *, OM_uint32*, /* minor_status */ + gss_ctx_id_t*, /* context_handle */ + gss_cred_id_t, /* verifier_cred_handle */ + gss_buffer_t, /* input_token_buffer */ + gss_channel_bindings_t, + /* input_chan_bindings */ + gss_name_t*, /* src_name */ + gss_OID*, /* mech_type */ + gss_buffer_t, /* output_token */ + OM_uint32*, /* ret_flags */ + OM_uint32*, /* time_rec */ + gss_cred_id_t* /* delegated_cred_handle */ + ); + +static OM_uint32 k5glue_process_context_token +(void *, OM_uint32*, /* minor_status */ + gss_ctx_id_t, /* context_handle */ + gss_buffer_t /* token_buffer */ + ); + +static OM_uint32 k5glue_delete_sec_context +(void *, OM_uint32*, /* minor_status */ + gss_ctx_id_t*, /* context_handle */ + gss_buffer_t /* output_token */ + ); + +static OM_uint32 k5glue_context_time +(void *, OM_uint32*, /* minor_status */ + gss_ctx_id_t, /* context_handle */ + OM_uint32* /* time_rec */ + ); + +static OM_uint32 k5glue_sign +(void *, OM_uint32*, /* minor_status */ + gss_ctx_id_t, /* context_handle */ + int, /* qop_req */ + gss_buffer_t, /* message_buffer */ + gss_buffer_t /* message_token */ + ); + +static OM_uint32 k5glue_verify +(void *, OM_uint32*, /* minor_status */ + gss_ctx_id_t, /* context_handle */ + gss_buffer_t, /* message_buffer */ + gss_buffer_t, /* token_buffer */ + int* /* qop_state */ + ); + +/* EXPORT DELETE START */ +static OM_uint32 k5glue_seal +(void *, OM_uint32*, /* minor_status */ + gss_ctx_id_t, /* context_handle */ + int, /* conf_req_flag */ + int, /* qop_req */ + gss_buffer_t, /* input_message_buffer */ + int*, /* conf_state */ + gss_buffer_t /* output_message_buffer */ + ); + +static OM_uint32 k5glue_unseal +(void *, OM_uint32*, /* minor_status */ + gss_ctx_id_t, /* context_handle */ + gss_buffer_t, /* input_message_buffer */ + gss_buffer_t, /* output_message_buffer */ + int*, /* conf_state */ + int* /* qop_state */ + ); +/* EXPORT DELETE END */ + +static OM_uint32 k5glue_display_status +(void *, OM_uint32*, /* minor_status */ + OM_uint32, /* status_value */ + int, /* status_type */ + gss_OID, /* mech_type */ + OM_uint32*, /* message_context */ + gss_buffer_t /* status_string */ + ); + +static OM_uint32 k5glue_indicate_mechs +(void *, OM_uint32*, /* minor_status */ + gss_OID_set* /* mech_set */ + ); + +static OM_uint32 k5glue_compare_name +(void *, OM_uint32*, /* minor_status */ + gss_name_t, /* name1 */ + gss_name_t, /* name2 */ + int* /* name_equal */ + ); + +static OM_uint32 k5glue_display_name +(void *, OM_uint32*, /* minor_status */ + gss_name_t, /* input_name */ + gss_buffer_t, /* output_name_buffer */ + gss_OID* /* output_name_type */ + ); + +static OM_uint32 k5glue_import_name +(void *, OM_uint32*, /* minor_status */ + gss_buffer_t, /* input_name_buffer */ + gss_OID, /* input_name_type */ + gss_name_t* /* output_name */ + ); + +static OM_uint32 k5glue_release_name +(void *, OM_uint32*, /* minor_status */ + gss_name_t* /* input_name */ + ); + +static OM_uint32 k5glue_inquire_cred +(void *, OM_uint32 *, /* minor_status */ + gss_cred_id_t, /* cred_handle */ + gss_name_t *, /* name */ + OM_uint32 *, /* lifetime */ + gss_cred_usage_t*,/* cred_usage */ + gss_OID_set * /* mechanisms */ + ); + +static OM_uint32 k5glue_inquire_context +(void *, OM_uint32*, /* minor_status */ + gss_ctx_id_t, /* context_handle */ + gss_name_t*, /* initiator_name */ + gss_name_t*, /* acceptor_name */ + OM_uint32*, /* lifetime_rec */ + gss_OID*, /* mech_type */ + OM_uint32*, /* ret_flags */ + int*, /* locally_initiated */ + int* /* open */ + ); + +#if 0 +/* New V2 entry points */ +static OM_uint32 k5glue_get_mic +(void *, OM_uint32 *, /* minor_status */ + gss_ctx_id_t, /* context_handle */ + gss_qop_t, /* qop_req */ + gss_buffer_t, /* message_buffer */ + gss_buffer_t /* message_token */ + ); + +static OM_uint32 k5glue_verify_mic +(void *, OM_uint32 *, /* minor_status */ + gss_ctx_id_t, /* context_handle */ + gss_buffer_t, /* message_buffer */ + gss_buffer_t, /* message_token */ + gss_qop_t * /* qop_state */ + ); + +static OM_uint32 k5glue_wrap +(void *, OM_uint32 *, /* minor_status */ + gss_ctx_id_t, /* context_handle */ + int, /* conf_req_flag */ + gss_qop_t, /* qop_req */ + gss_buffer_t, /* input_message_buffer */ + int *, /* conf_state */ + gss_buffer_t /* output_message_buffer */ + ); + +static OM_uint32 k5glue_unwrap +(void *, OM_uint32 *, /* minor_status */ + gss_ctx_id_t, /* context_handle */ + gss_buffer_t, /* input_message_buffer */ + gss_buffer_t, /* output_message_buffer */ + int *, /* conf_state */ + gss_qop_t * /* qop_state */ + ); +#endif + +static OM_uint32 k5glue_wrap_size_limit +(void *, OM_uint32 *, /* minor_status */ + gss_ctx_id_t, /* context_handle */ + int, /* conf_req_flag */ + gss_qop_t, /* qop_req */ + OM_uint32, /* req_output_size */ + OM_uint32 * /* max_input_size */ + ); + +#if 0 +static OM_uint32 k5glue_import_name_object +(void *, OM_uint32 *, /* minor_status */ + void *, /* input_name */ + gss_OID, /* input_name_type */ + gss_name_t * /* output_name */ + ); + +static OM_uint32 k5glue_export_name_object +(void *, OM_uint32 *, /* minor_status */ + gss_name_t, /* input_name */ + gss_OID, /* desired_name_type */ + void * * /* output_name */ + ); +#endif + +static OM_uint32 k5glue_add_cred +(void *, OM_uint32 *, /* minor_status */ + gss_cred_id_t, /* input_cred_handle */ + gss_name_t, /* desired_name */ + gss_OID, /* desired_mech */ + gss_cred_usage_t, /* cred_usage */ + OM_uint32, /* initiator_time_req */ + OM_uint32, /* acceptor_time_req */ + gss_cred_id_t *, /* output_cred_handle */ + gss_OID_set *, /* actual_mechs */ + OM_uint32 *, /* initiator_time_rec */ + OM_uint32 * /* acceptor_time_rec */ + ); + +static OM_uint32 k5glue_inquire_cred_by_mech +(void *, OM_uint32 *, /* minor_status */ + gss_cred_id_t, /* cred_handle */ + gss_OID, /* mech_type */ + gss_name_t *, /* name */ + OM_uint32 *, /* initiator_lifetime */ + OM_uint32 *, /* acceptor_lifetime */ + gss_cred_usage_t * /* cred_usage */ + ); + +static OM_uint32 k5glue_export_sec_context +(void *, OM_uint32 *, /* minor_status */ + gss_ctx_id_t *, /* context_handle */ + gss_buffer_t /* interprocess_token */ + ); + +static OM_uint32 k5glue_import_sec_context +(void *, OM_uint32 *, /* minor_status */ + gss_buffer_t, /* interprocess_token */ + gss_ctx_id_t * /* context_handle */ + ); + +krb5_error_code k5glue_ser_init(krb5_context); + +static OM_uint32 k5glue_internal_release_oid +(void *, OM_uint32 *, /* minor_status */ + gss_OID * /* oid */ + ); + +static OM_uint32 k5glue_inquire_names_for_mech +(void *, OM_uint32 *, /* minor_status */ + gss_OID, /* mechanism */ + gss_OID_set * /* name_types */ + ); + +#if 0 +static OM_uint32 k5glue_canonicalize_name +(void *, OM_uint32 *, /* minor_status */ + const gss_name_t, /* input_name */ + const gss_OID, /* mech_type */ + gss_name_t * /* output_name */ + ); +#endif + +static OM_uint32 k5glue_export_name +(void *, OM_uint32 *, /* minor_status */ + const gss_name_t, /* input_name */ + gss_buffer_t /* exported_name */ + ); + +/* SUNW15resync - Solaris specific */ +static OM_uint32 k5glue_store_cred ( + void *, + OM_uint32 *, /* minor_status */ + const gss_cred_id_t, /* input_cred */ + gss_cred_usage_t, /* cred_usage */ + const gss_OID, /* desired_mech */ + OM_uint32, /* overwrite_cred */ + OM_uint32, /* default_cred */ + gss_OID_set *, /* elements_stored */ + gss_cred_usage_t * /* cred_usage_stored */ + ); + +static OM_uint32 +k5glue_userok( + void *, /* context */ + OM_uint32 *, /* minor_status */ + const gss_name_t, /* pname */ + const char *, /* local user */ + int * /* user ok? */ + /* */); + +static OM_uint32 +k5glue_pname_to_uid( + void *, /* context */ + OM_uint32 *, /* minor_status */ + const gss_name_t, /* pname */ + uid_t * /* uid */ + /* */); + + + + +#if 0 +static OM_uint32 k5glue_duplicate_name +(void *, OM_uint32 *, /* minor_status */ + const gss_name_t, /* input_name */ + gss_name_t * /* dest_name */ + ); +#endif + +#if 0 +static OM_uint32 k5glue_validate_cred +(void *, OM_uint32 *, /* minor_status */ + gss_cred_id_t /* cred */ + ); +#endif + +#if 0 +/* + * SUNW15resync + * Solaris can't use the KRB5_GSS_CONFIG_INIT macro because of the src + * slicing&dicing needs of the "nightly -SD" build. When it goes away, + * we should use it assuming MIT still uses it then. + */ + +/* + * The krb5 mechanism provides two mech OIDs; use this initializer to + * ensure that both dispatch tables contain identical function + * pointers. + */ +#define KRB5_GSS_CONFIG_INIT \ + NULL, \ + ... +#endif + + +static struct gss_config krb5_mechanism = { +#if 0 /* Solaris Kerberos */ + 100, "kerberos_v5", +#endif + { GSS_MECH_KRB5_OID_LENGTH, GSS_MECH_KRB5_OID }, + NULL, + k5glue_acquire_cred, + k5glue_release_cred, + k5glue_init_sec_context, + k5glue_accept_sec_context, +/* EXPORT DELETE START */ /* CRYPT DELETE START */ + k5glue_unseal, +/* EXPORT DELETE END */ /* CRYPT DELETE END */ + k5glue_process_context_token, + k5glue_delete_sec_context, + k5glue_context_time, + k5glue_display_status, + k5glue_indicate_mechs, + k5glue_compare_name, + k5glue_display_name, + k5glue_import_name, + k5glue_release_name, + k5glue_inquire_cred, + k5glue_add_cred, +/* EXPORT DELETE START */ /* CRYPT DELETE START */ + k5glue_seal, +/* EXPORT DELETE END */ /* CRYPT DELETE END */ + k5glue_export_sec_context, + k5glue_import_sec_context, + k5glue_inquire_cred_by_mech, + k5glue_inquire_names_for_mech, + k5glue_inquire_context, + k5glue_internal_release_oid, + k5glue_wrap_size_limit, + k5glue_pname_to_uid, + k5glue_userok, + k5glue_export_name, +/* EXPORT DELETE START */ +/* CRYPT DELETE START */ +#if 0 +/* CRYPT DELETE END */ + k5glue_seal, + k5glue_unseal, +/* CRYPT DELETE START */ +#endif +/* CRYPT DELETE END */ +/* EXPORT DELETE END */ + k5glue_sign, + k5glue_verify, + k5glue_store_cred +}; + +static struct gss_config krb5_mechanism_old = { +#if 0 /* Solaris Kerberos */ + 200, "kerberos_v5 (pre-RFC OID)", +#endif + { GSS_MECH_KRB5_OLD_OID_LENGTH, GSS_MECH_KRB5_OLD_OID }, + NULL, + k5glue_acquire_cred, + k5glue_release_cred, + k5glue_init_sec_context, + k5glue_accept_sec_context, +/* EXPORT DELETE START */ /* CRYPT DELETE START */ + k5glue_unseal, +/* EXPORT DELETE END */ /* CRYPT DELETE END */ + k5glue_process_context_token, + k5glue_delete_sec_context, + k5glue_context_time, + k5glue_display_status, + k5glue_indicate_mechs, + k5glue_compare_name, + k5glue_display_name, + k5glue_import_name, + k5glue_release_name, + k5glue_inquire_cred, + k5glue_add_cred, +/* EXPORT DELETE START */ /* CRYPT DELETE START */ + k5glue_seal, +/* EXPORT DELETE END */ /* CRYPT DELETE END */ + k5glue_export_sec_context, + k5glue_import_sec_context, + k5glue_inquire_cred_by_mech, + k5glue_inquire_names_for_mech, + k5glue_inquire_context, + k5glue_internal_release_oid, + k5glue_wrap_size_limit, + k5glue_pname_to_uid, + k5glue_userok, + k5glue_export_name, +/* EXPORT DELETE START */ +/* CRYPT DELETE START */ +#if 0 +/* CRYPT DELETE END */ + k5glue_seal, + k5glue_unseal, +/* CRYPT DELETE START */ +#endif +/* CRYPT DELETE END */ +/* EXPORT DELETE END */ + k5glue_sign, + k5glue_verify, + k5glue_store_cred +}; + +static struct gss_config krb5_mechanism_wrong = { +#if 0 /* Solaris Kerberos */ + 300, "kerberos_v5 (wrong OID)", +#endif + { GSS_MECH_KRB5_WRONG_OID_LENGTH, GSS_MECH_KRB5_WRONG_OID }, + NULL, + k5glue_acquire_cred, + k5glue_release_cred, + k5glue_init_sec_context, + k5glue_accept_sec_context, +/* EXPORT DELETE START */ /* CRYPT DELETE START */ + k5glue_unseal, +/* EXPORT DELETE END */ /* CRYPT DELETE END */ + k5glue_process_context_token, + k5glue_delete_sec_context, + k5glue_context_time, + k5glue_display_status, + k5glue_indicate_mechs, + k5glue_compare_name, + k5glue_display_name, + k5glue_import_name, + k5glue_release_name, + k5glue_inquire_cred, + k5glue_add_cred, +/* EXPORT DELETE START */ /* CRYPT DELETE START */ + k5glue_seal, +/* EXPORT DELETE END */ /* CRYPT DELETE END */ + k5glue_export_sec_context, + k5glue_import_sec_context, + k5glue_inquire_cred_by_mech, + k5glue_inquire_names_for_mech, + k5glue_inquire_context, + k5glue_internal_release_oid, + k5glue_wrap_size_limit, + k5glue_pname_to_uid, + k5glue_userok, + k5glue_export_name, +/* EXPORT DELETE START */ +/* CRYPT DELETE START */ +#if 0 +/* CRYPT DELETE END */ + k5glue_seal, + k5glue_unseal, +/* CRYPT DELETE START */ +#endif +/* CRYPT DELETE END */ +/* EXPORT DELETE END */ + k5glue_sign, + k5glue_verify, + k5glue_store_cred +}; + +static gss_mechanism krb5_mech_configs[] = { + &krb5_mechanism, &krb5_mechanism_old, &krb5_mechanism_wrong, NULL +}; + +#ifdef MS_BUG_TEST +static gss_mechanism krb5_mech_configs_hack[] = { + &krb5_mechanism, &krb5_mechanism_old, NULL +}; +#endif + +#if 1 +#define gssint_get_mech_configs krb5_gss_get_mech_configs +#endif + +gss_mechanism * +gssint_get_mech_configs(void) +{ +#ifdef MS_BUG_TEST + char *envstr = getenv("MS_FORCE_NO_MSOID"); + + if (envstr != NULL && strcmp(envstr, "1") == 0) { + return krb5_mech_configs_hack; + } +#endif + return krb5_mech_configs; +} + +static OM_uint32 +k5glue_accept_sec_context(ctx, minor_status, context_handle, verifier_cred_handle, + input_token, input_chan_bindings, src_name, mech_type, + output_token, ret_flags, time_rec, delegated_cred_handle) + void *ctx; + OM_uint32 *minor_status; + gss_ctx_id_t *context_handle; + gss_cred_id_t verifier_cred_handle; + gss_buffer_t input_token; + gss_channel_bindings_t input_chan_bindings; + gss_name_t *src_name; + gss_OID *mech_type; + gss_buffer_t output_token; + OM_uint32 *ret_flags; + OM_uint32 *time_rec; + gss_cred_id_t *delegated_cred_handle; +{ + return(krb5_gss_accept_sec_context(minor_status, + context_handle, + verifier_cred_handle, + input_token, + input_chan_bindings, + src_name, + mech_type, + output_token, + ret_flags, + time_rec, + delegated_cred_handle)); +} + +static OM_uint32 +k5glue_acquire_cred(ctx, minor_status, desired_name, time_req, desired_mechs, + cred_usage, output_cred_handle, actual_mechs, time_rec) + void *ctx; + OM_uint32 *minor_status; + gss_name_t desired_name; + OM_uint32 time_req; + gss_OID_set desired_mechs; + gss_cred_usage_t cred_usage; + gss_cred_id_t *output_cred_handle; + gss_OID_set *actual_mechs; + OM_uint32 *time_rec; +{ + return(krb5_gss_acquire_cred(minor_status, + desired_name, + time_req, + desired_mechs, + cred_usage, + output_cred_handle, + actual_mechs, + time_rec)); +} + +/* V2 */ +static OM_uint32 +k5glue_add_cred(ctx, minor_status, input_cred_handle, desired_name, desired_mech, + cred_usage, initiator_time_req, acceptor_time_req, + output_cred_handle, actual_mechs, initiator_time_rec, + acceptor_time_rec) + void *ctx; + OM_uint32 *minor_status; + gss_cred_id_t input_cred_handle; + gss_name_t desired_name; + gss_OID desired_mech; + gss_cred_usage_t cred_usage; + OM_uint32 initiator_time_req; + OM_uint32 acceptor_time_req; + gss_cred_id_t *output_cred_handle; + gss_OID_set *actual_mechs; + OM_uint32 *initiator_time_rec; + OM_uint32 *acceptor_time_rec; +{ + return(krb5_gss_add_cred(minor_status, input_cred_handle, desired_name, + desired_mech, cred_usage, initiator_time_req, + acceptor_time_req, output_cred_handle, + actual_mechs, initiator_time_rec, + acceptor_time_rec)); +} + +#if 0 +/* V2 */ +static OM_uint32 +k5glue_add_oid_set_member(ctx, minor_status, member_oid, oid_set) + void *ctx; + OM_uint32 *minor_status; + gss_OID member_oid; + gss_OID_set *oid_set; +{ + return(generic_gss_add_oid_set_member(minor_status, member_oid, oid_set)); +} +#endif + +static OM_uint32 +k5glue_compare_name(ctx, minor_status, name1, name2, name_equal) + void *ctx; + OM_uint32 *minor_status; + gss_name_t name1; + gss_name_t name2; + int *name_equal; +{ + return(krb5_gss_compare_name(minor_status, name1, + name2, name_equal)); +} + +static OM_uint32 +k5glue_context_time(ctx, minor_status, context_handle, time_rec) + void *ctx; + OM_uint32 *minor_status; + gss_ctx_id_t context_handle; + OM_uint32 *time_rec; +{ + return(krb5_gss_context_time(minor_status, context_handle, + time_rec)); +} + +#if 0 +/* V2 */ +static OM_uint32 +k5glue_create_empty_oid_set(ctx, minor_status, oid_set) + void *ctx; + OM_uint32 *minor_status; + gss_OID_set *oid_set; +{ + return(generic_gss_create_empty_oid_set(minor_status, oid_set)); +} +#endif + +static OM_uint32 +k5glue_delete_sec_context(ctx, minor_status, context_handle, output_token) + void *ctx; + OM_uint32 *minor_status; + gss_ctx_id_t *context_handle; + gss_buffer_t output_token; +{ + return(krb5_gss_delete_sec_context(minor_status, + context_handle, output_token)); +} + +static OM_uint32 +k5glue_display_name(ctx, minor_status, input_name, output_name_buffer, output_name_type) + void *ctx; + OM_uint32 *minor_status; + gss_name_t input_name; + gss_buffer_t output_name_buffer; + gss_OID *output_name_type; +{ + return(krb5_gss_display_name(minor_status, input_name, + output_name_buffer, output_name_type)); +} + +static OM_uint32 +k5glue_display_status(ctx, minor_status, status_value, status_type, + mech_type, message_context, status_string) + void *ctx; + OM_uint32 *minor_status; + OM_uint32 status_value; + int status_type; + gss_OID mech_type; + OM_uint32 *message_context; + gss_buffer_t status_string; +{ + return(krb5_gss_display_status(minor_status, status_value, + status_type, mech_type, message_context, + status_string)); +} + +/* V2 */ +static OM_uint32 +k5glue_export_sec_context(ctx, minor_status, context_handle, interprocess_token) + void *ctx; + OM_uint32 *minor_status; + gss_ctx_id_t *context_handle; + gss_buffer_t interprocess_token; +{ + return(krb5_gss_export_sec_context(minor_status, + context_handle, + interprocess_token)); +} + +#if 0 +/* V2 */ +static OM_uint32 +k5glue_get_mic(ctx, minor_status, context_handle, qop_req, + message_buffer, message_token) + void *ctx; + OM_uint32 *minor_status; + gss_ctx_id_t context_handle; + gss_qop_t qop_req; + gss_buffer_t message_buffer; + gss_buffer_t message_token; +{ + return(krb5_gss_get_mic(minor_status, context_handle, + qop_req, message_buffer, message_token)); +} +#endif + +static OM_uint32 +k5glue_import_name(ctx, minor_status, input_name_buffer, input_name_type, output_name) + void *ctx; + OM_uint32 *minor_status; + gss_buffer_t input_name_buffer; + gss_OID input_name_type; + gss_name_t *output_name; +{ +#if 0 + OM_uint32 err; + err = gssint_initialize_library(); + if (err) { + *minor_status = err; + return GSS_S_FAILURE; + } +#endif + return(krb5_gss_import_name(minor_status, input_name_buffer, + input_name_type, output_name)); +} + +/* V2 */ +static OM_uint32 +k5glue_import_sec_context(ctx, minor_status, interprocess_token, context_handle) + void *ctx; + OM_uint32 *minor_status; + gss_buffer_t interprocess_token; + gss_ctx_id_t *context_handle; +{ + return(krb5_gss_import_sec_context(minor_status, + interprocess_token, + context_handle)); +} + +static OM_uint32 +k5glue_indicate_mechs(ctx, minor_status, mech_set) + void *ctx; + OM_uint32 *minor_status; + gss_OID_set *mech_set; +{ + return(krb5_gss_indicate_mechs(minor_status, mech_set)); +} + +static OM_uint32 +k5glue_init_sec_context(ctx, minor_status, claimant_cred_handle, context_handle, + target_name, mech_type, req_flags, time_req, + input_chan_bindings, input_token, actual_mech_type, + output_token, ret_flags, time_rec) + void *ctx; + OM_uint32 *minor_status; + gss_cred_id_t claimant_cred_handle; + gss_ctx_id_t *context_handle; + gss_name_t target_name; + gss_OID mech_type; + OM_uint32 req_flags; + OM_uint32 time_req; + gss_channel_bindings_t input_chan_bindings; + gss_buffer_t input_token; + gss_OID *actual_mech_type; + gss_buffer_t output_token; + OM_uint32 *ret_flags; + OM_uint32 *time_rec; +{ + return(krb5_gss_init_sec_context(minor_status, + claimant_cred_handle, context_handle, + target_name, mech_type, req_flags, + time_req, input_chan_bindings, input_token, + actual_mech_type, output_token, ret_flags, + time_rec)); +} + +static OM_uint32 +k5glue_inquire_context(ctx, minor_status, context_handle, initiator_name, acceptor_name, + lifetime_rec, mech_type, ret_flags, + locally_initiated, open) + void *ctx; + OM_uint32 *minor_status; + gss_ctx_id_t context_handle; + gss_name_t *initiator_name; + gss_name_t *acceptor_name; + OM_uint32 *lifetime_rec; + gss_OID *mech_type; + OM_uint32 *ret_flags; + int *locally_initiated; + int *open; +{ + return(krb5_gss_inquire_context(minor_status, context_handle, + initiator_name, acceptor_name, lifetime_rec, + mech_type, ret_flags, locally_initiated, + open)); +} + +static OM_uint32 +k5glue_inquire_cred(ctx, minor_status, cred_handle, name, lifetime_ret, + cred_usage, mechanisms) + void *ctx; + OM_uint32 *minor_status; + gss_cred_id_t cred_handle; + gss_name_t *name; + OM_uint32 *lifetime_ret; + gss_cred_usage_t *cred_usage; + gss_OID_set *mechanisms; +{ + return(krb5_gss_inquire_cred(minor_status, cred_handle, + name, lifetime_ret, cred_usage, mechanisms)); +} + +/* V2 */ +static OM_uint32 +k5glue_inquire_cred_by_mech(ctx, minor_status, cred_handle, mech_type, name, + initiator_lifetime, acceptor_lifetime, cred_usage) + void *ctx; + OM_uint32 *minor_status; + gss_cred_id_t cred_handle; + gss_OID mech_type; + gss_name_t *name; + OM_uint32 *initiator_lifetime; + OM_uint32 *acceptor_lifetime; + gss_cred_usage_t *cred_usage; +{ + return(krb5_gss_inquire_cred_by_mech(minor_status, cred_handle, + mech_type, name, initiator_lifetime, + acceptor_lifetime, cred_usage)); +} + +/* V2 */ +static OM_uint32 +k5glue_inquire_names_for_mech(ctx, minor_status, mechanism, name_types) + void *ctx; + OM_uint32 *minor_status; + gss_OID mechanism; + gss_OID_set *name_types; +{ + return(krb5_gss_inquire_names_for_mech(minor_status, + mechanism, + name_types)); +} + +#if 0 +/* V2 */ +static OM_uint32 +k5glue_oid_to_str(ctx, minor_status, oid, oid_str) + void *ctx; + OM_uint32 *minor_status; + gss_OID oid; + gss_buffer_t oid_str; +{ + return(generic_gss_oid_to_str(minor_status, oid, oid_str)); +} +#endif + +static OM_uint32 +k5glue_process_context_token(ctx, minor_status, context_handle, token_buffer) + void *ctx; + OM_uint32 *minor_status; + gss_ctx_id_t context_handle; + gss_buffer_t token_buffer; +{ + return(krb5_gss_process_context_token(minor_status, + context_handle, token_buffer)); +} + +static OM_uint32 +k5glue_release_cred(ctx, minor_status, cred_handle) + void *ctx; + OM_uint32 *minor_status; + gss_cred_id_t *cred_handle; +{ + return(krb5_gss_release_cred(minor_status, cred_handle)); +} + +static OM_uint32 +k5glue_release_name(ctx, minor_status, input_name) + void *ctx; + OM_uint32 *minor_status; + gss_name_t *input_name; +{ + return(krb5_gss_release_name(minor_status, input_name)); +} + +#if 0 +static OM_uint32 +k5glue_release_buffer(ctx, minor_status, buffer) + void *ctx; + OM_uint32 *minor_status; + gss_buffer_t buffer; +{ + return(generic_gss_release_buffer(minor_status, + buffer)); +} +#endif + +/* V2 */ +static OM_uint32 +k5glue_internal_release_oid(ctx, minor_status, oid) + void *ctx; + OM_uint32 *minor_status; + gss_OID *oid; +{ + return(krb5_gss_internal_release_oid(minor_status, oid)); +} + +#if 0 +static OM_uint32 +k5glue_release_oid_set(ctx, minor_status, set) + void *ctx; + OM_uint32 * minor_status; + gss_OID_set *set; +{ + return(generic_gss_release_oid_set(minor_status, set)); +} +#endif + +/* EXPORT DELETE START */ +/* V1 only */ +static OM_uint32 +k5glue_seal(ctx, minor_status, context_handle, conf_req_flag, qop_req, + input_message_buffer, conf_state, output_message_buffer) + void *ctx; + OM_uint32 *minor_status; + gss_ctx_id_t context_handle; + int conf_req_flag; + int qop_req; + gss_buffer_t input_message_buffer; + int *conf_state; + gss_buffer_t output_message_buffer; +{ + return(krb5_gss_seal(minor_status, context_handle, + conf_req_flag, qop_req, input_message_buffer, + conf_state, output_message_buffer)); +} +/* EXPORT DELETE END */ + +static OM_uint32 +k5glue_sign(ctx, minor_status, context_handle, + qop_req, message_buffer, + message_token) + void *ctx; + OM_uint32 *minor_status; + gss_ctx_id_t context_handle; + int qop_req; + gss_buffer_t message_buffer; + gss_buffer_t message_token; +{ + return(krb5_gss_sign(minor_status, context_handle, + qop_req, message_buffer, message_token)); +} + +#if 0 +/* V2 */ +static OM_uint32 +k5glue_verify_mic(ctx, minor_status, context_handle, + message_buffer, token_buffer, qop_state) + void *ctx; + OM_uint32 *minor_status; + gss_ctx_id_t context_handle; + gss_buffer_t message_buffer; + gss_buffer_t token_buffer; + gss_qop_t *qop_state; +{ + return(krb5_gss_verify_mic(minor_status, context_handle, + message_buffer, token_buffer, qop_state)); +} + +/* V2 */ +static OM_uint32 +k5glue_wrap(ctx, minor_status, context_handle, conf_req_flag, qop_req, + input_message_buffer, conf_state, output_message_buffer) + void *ctx; + OM_uint32 *minor_status; + gss_ctx_id_t context_handle; + int conf_req_flag; + gss_qop_t qop_req; + gss_buffer_t input_message_buffer; + int *conf_state; + gss_buffer_t output_message_buffer; +{ + return(krb5_gss_wrap(minor_status, context_handle, conf_req_flag, qop_req, + input_message_buffer, conf_state, + output_message_buffer)); +} + +/* V2 */ +static OM_uint32 +k5glue_str_to_oid(ctx, minor_status, oid_str, oid) + void *ctx; + OM_uint32 *minor_status; + gss_buffer_t oid_str; + gss_OID *oid; +{ + return(generic_gss_str_to_oid(minor_status, oid_str, oid)); +} + +/* V2 */ +static OM_uint32 +k5glue_test_oid_set_member(ctx, minor_status, member, set, present) + void *ctx; + OM_uint32 *minor_status; + gss_OID member; + gss_OID_set set; + int *present; +{ + return(generic_gss_test_oid_set_member(minor_status, member, set, + present)); +} +#endif + +/* EXPORT DELETE START */ +/* V1 only */ +static OM_uint32 +k5glue_unseal(ctx, minor_status, context_handle, input_message_buffer, + output_message_buffer, conf_state, qop_state) + void *ctx; + OM_uint32 *minor_status; + gss_ctx_id_t context_handle; + gss_buffer_t input_message_buffer; + gss_buffer_t output_message_buffer; + int *conf_state; + int *qop_state; +{ + return(krb5_gss_unseal(minor_status, context_handle, + input_message_buffer, output_message_buffer, + conf_state, qop_state)); +} +/* EXPORT DELETE END */ + +#if 0 +/* V2 */ +static OM_uint32 +k5glue_unwrap(ctx, minor_status, context_handle, input_message_buffer, + output_message_buffer, conf_state, qop_state) + void *ctx; + OM_uint32 *minor_status; + gss_ctx_id_t context_handle; + gss_buffer_t input_message_buffer; + gss_buffer_t output_message_buffer; + int *conf_state; + gss_qop_t *qop_state; +{ + return(krb5_gss_unwrap(minor_status, context_handle, input_message_buffer, + output_message_buffer, conf_state, qop_state)); +} +#endif + +/* V1 only */ +static OM_uint32 +k5glue_verify(ctx, minor_status, context_handle, message_buffer, + token_buffer, qop_state) + void *ctx; + OM_uint32 *minor_status; + gss_ctx_id_t context_handle; + gss_buffer_t message_buffer; + gss_buffer_t token_buffer; + int *qop_state; +{ + return(krb5_gss_verify(minor_status, + context_handle, + message_buffer, + token_buffer, + qop_state)); +} + +/* V2 interface */ +static OM_uint32 +k5glue_wrap_size_limit(ctx, minor_status, context_handle, conf_req_flag, + qop_req, req_output_size, max_input_size) + void *ctx; + OM_uint32 *minor_status; + gss_ctx_id_t context_handle; + int conf_req_flag; + gss_qop_t qop_req; + OM_uint32 req_output_size; + OM_uint32 *max_input_size; +{ + return(krb5_gss_wrap_size_limit(minor_status, context_handle, + conf_req_flag, qop_req, + req_output_size, max_input_size)); +} + +#if 0 +/* V2 interface */ +static OM_uint32 +k5glue_canonicalize_name(ctx, minor_status, input_name, mech_type, output_name) + void *ctx; + OM_uint32 *minor_status; + const gss_name_t input_name; + const gss_OID mech_type; + gss_name_t *output_name; +{ + return krb5_gss_canonicalize_name(minor_status, input_name, + mech_type, output_name); +} +#endif + +/* V2 interface */ +static OM_uint32 +k5glue_export_name(ctx, minor_status, input_name, exported_name) + void *ctx; + OM_uint32 *minor_status; + const gss_name_t input_name; + gss_buffer_t exported_name; +{ + return krb5_gss_export_name(minor_status, input_name, exported_name); +} + +/* SUNW15resync - this is not in the MIT mech (lib) yet */ +static OM_uint32 +k5glue_store_cred(ctx, minor_status, input_cred, cred_usage, desired_mech, + overwrite_cred, default_cred, elements_stored, + cred_usage_stored) +void *ctx; +OM_uint32 *minor_status; +const gss_cred_id_t input_cred; +gss_cred_usage_t cred_usage; +gss_OID desired_mech; +OM_uint32 overwrite_cred; +OM_uint32 default_cred; +gss_OID_set *elements_stored; +gss_cred_usage_t *cred_usage_stored; +{ + return(krb5_gss_store_cred(minor_status, input_cred, + cred_usage, desired_mech, + overwrite_cred, default_cred, elements_stored, + cred_usage_stored)); +} + +static OM_uint32 +k5glue_userok( + void *ctxt, /* context */ + OM_uint32 *minor, /* minor_status */ + const gss_name_t pname, /* pname */ + const char *user, /* local user */ + int *user_ok /* user ok? */ + /* */) +{ + return(krb5_gss_userok(minor, pname, user, user_ok)); +} + +static OM_uint32 +k5glue_pname_to_uid( + void *ctxt, /* context */ + OM_uint32 *minor, /* minor_status */ + const gss_name_t pname, /* pname */ + uid_t *uidOut /* uid */ + /* */) +{ + return (krb5_pname_to_uid(minor, pname, uidOut)); +} + + + +#if 0 +/* V2 interface */ +static OM_uint32 +k5glue_duplicate_name(ctx, minor_status, input_name, dest_name) + void *ctx; + OM_uint32 *minor_status; + const gss_name_t input_name; + gss_name_t *dest_name; +{ + return krb5_gss_duplicate_name(minor_status, input_name, dest_name); +} +#endif + +OM_uint32 KRB5_CALLCONV +gss_krb5_get_tkt_flags( + OM_uint32 *minor_status, + gss_ctx_id_t context_handle, + krb5_flags *ticket_flags) +{ + gss_union_ctx_id_t uctx; + + uctx = (gss_union_ctx_id_t)context_handle; + if (!g_OID_equal(uctx->mech_type, &krb5_mechanism.mech_type) && + !g_OID_equal(uctx->mech_type, &krb5_mechanism_old.mech_type)) + return GSS_S_BAD_MECH; + return gss_krb5int_get_tkt_flags(minor_status, uctx->internal_ctx_id, + ticket_flags); +} + +OM_uint32 KRB5_CALLCONV +gss_krb5_copy_ccache( + OM_uint32 *minor_status, + gss_cred_id_t cred_handle, + krb5_ccache out_ccache) +{ + gss_union_cred_t ucred; + gss_cred_id_t mcred; + + ucred = (gss_union_cred_t)cred_handle; + + mcred = gssint_get_mechanism_cred(ucred, &krb5_mechanism.mech_type); + if (mcred != GSS_C_NO_CREDENTIAL) + return gss_krb5int_copy_ccache(minor_status, mcred, out_ccache); + + mcred = gssint_get_mechanism_cred(ucred, &krb5_mechanism_old.mech_type); + if (mcred != GSS_C_NO_CREDENTIAL) + return gss_krb5int_copy_ccache(minor_status, mcred, out_ccache); + + return GSS_S_DEFECTIVE_CREDENTIAL; +} + +/* XXX need to delete mechglue ctx too */ +OM_uint32 KRB5_CALLCONV +gss_krb5_export_lucid_sec_context( + OM_uint32 *minor_status, + gss_ctx_id_t *context_handle, + OM_uint32 version, + void **kctx) +{ + gss_union_ctx_id_t uctx; + + uctx = (gss_union_ctx_id_t)*context_handle; + if (!g_OID_equal(uctx->mech_type, &krb5_mechanism.mech_type) && + !g_OID_equal(uctx->mech_type, &krb5_mechanism_old.mech_type)) + return GSS_S_BAD_MECH; + return gss_krb5int_export_lucid_sec_context(minor_status, + &uctx->internal_ctx_id, + version, kctx); +} + +OM_uint32 KRB5_CALLCONV +gss_krb5_set_allowable_enctypes( + OM_uint32 *minor_status, + gss_cred_id_t cred, + OM_uint32 num_ktypes, + krb5_enctype *ktypes) +{ + gss_union_cred_t ucred; + gss_cred_id_t mcred; + + ucred = (gss_union_cred_t)cred; + mcred = gssint_get_mechanism_cred(ucred, &krb5_mechanism.mech_type); + if (mcred != GSS_C_NO_CREDENTIAL) + return gss_krb5int_set_allowable_enctypes(minor_status, mcred, + num_ktypes, ktypes); + + mcred = gssint_get_mechanism_cred(ucred, &krb5_mechanism_old.mech_type); + if (mcred != GSS_C_NO_CREDENTIAL) + return gss_krb5int_set_allowable_enctypes(minor_status, mcred, + num_ktypes, ktypes); + + return GSS_S_DEFECTIVE_CREDENTIAL; +} + +/* + * Glue routine for returning the mechanism-specific credential from a + * external union credential. + */ +/* SUNW15resync - in MIT 1.5, it's in g_glue.c (libgss) but we don't + want to link against libgss so we put it here since we need it in the mech */ +gss_cred_id_t +gssint_get_mechanism_cred(union_cred, mech_type) + gss_union_cred_t union_cred; + gss_OID mech_type; +{ + int i; + + if (union_cred == (gss_union_cred_t) GSS_C_NO_CREDENTIAL) + return GSS_C_NO_CREDENTIAL; + + for (i=0; i < union_cred->count; i++) { + if (g_OID_equal(mech_type, &union_cred->mechs_array[i])) + return union_cred->cred_array[i]; + } + return GSS_C_NO_CREDENTIAL; +} + + + +/* + * entry point for the gss layer, + * called "krb5_gss_initialize()" in MIT 1.2.1 + */ +/* SUNW15resync - this used to be in k5mech.c */ +gss_mechanism +gss_mech_initialize(oid) + const gss_OID oid; +{ + /* ensure that the requested oid matches our oid */ + if (oid == NULL || !g_OID_equal(oid, &krb5_mechanism.mech_type)) { + (void) syslog(LOG_INFO, "krb5mech: gss_mech_initialize: bad oid"); + return (NULL); + } + +#if 0 /* SUNW15resync - no longer needed(?) */ + if (krb5_gss_get_context(&(krb5_mechanism.context)) != + GSS_S_COMPLETE) + return (NULL); +#endif + + return (&krb5_mechanism); +} + diff --git a/usr/src/lib/gss_mechs/mech_krb5/mech/lucid_context.c b/usr/src/lib/gss_mechs/mech_krb5/mech/lucid_context.c new file mode 100644 index 0000000000..e46358d07c --- /dev/null +++ b/usr/src/lib/gss_mechs/mech_krb5/mech/lucid_context.c @@ -0,0 +1,311 @@ +#pragma ident "%Z%%M% %I% %E% SMI" + +/* + * lib/gssapi/krb5/lucid_context.c + * + * Copyright 2004 by the Massachusetts Institute of Technology. + * All Rights Reserved. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + * + */ + +/* + * lucid_context.c - Externalize a "lucid" security + * context from a krb5_gss_ctx_id_rec structure. + */ +#include "gssapiP_krb5.h" +#include "gssapi_krb5.h" + +/* + * Local routine prototypes + */ +static void +free_external_lucid_ctx_v1( + gss_krb5_lucid_context_v1_t *ctx); + +static void +free_lucid_key_data( + gss_krb5_lucid_key_t *key); + +static krb5_error_code +copy_keyblock_to_lucid_key( + krb5_keyblock *k5key, + gss_krb5_lucid_key_t *lkey); + +static krb5_error_code +make_external_lucid_ctx_v1( + krb5_gss_ctx_id_rec * gctx, + unsigned int version, + void **out_ptr); + + +/* + * Exported routines + */ + +OM_uint32 KRB5_CALLCONV +gss_krb5int_export_lucid_sec_context( + OM_uint32 *minor_status, + gss_ctx_id_t *context_handle, + OM_uint32 version, + void **kctx) +{ + krb5_error_code kret = 0; + OM_uint32 retval; + krb5_gss_ctx_id_t ctx; + void *lctx = NULL; + + /* Assume failure */ + retval = GSS_S_FAILURE; + *minor_status = 0; + + if (kctx) + *kctx = NULL; + else { + kret = EINVAL; + goto error_out; + } + + if (!kg_validate_ctx_id(*context_handle)) { + kret = (OM_uint32) G_VALIDATE_FAILED; + retval = GSS_S_NO_CONTEXT; + goto error_out; + } + + ctx = (krb5_gss_ctx_id_t) *context_handle; + if (kret) + goto error_out; + + /* Externalize a structure of the right version */ + switch (version) { + case 1: + kret = make_external_lucid_ctx_v1((krb5_pointer)ctx, + version, &lctx); + break; + default: + kret = (OM_uint32) KG_LUCID_VERSION; + break; + } + + if (kret) + goto error_out; + + /* Success! Record the context and return the buffer */ + if (! kg_save_lucidctx_id((void *)lctx)) { + kret = G_VALIDATE_FAILED; + goto error_out; + } + + *kctx = lctx; + *minor_status = 0; + retval = GSS_S_COMPLETE; + + /* Clean up the context state (it is an error for + * someone to attempt to use this context again) + */ + (void)krb5_gss_delete_sec_context(minor_status, context_handle, NULL); + *context_handle = GSS_C_NO_CONTEXT; + + return (retval); + +error_out: + if (*minor_status == 0) + *minor_status = (OM_uint32) kret; + return(retval); +} + +/* + * Frees the storage associated with an + * exported lucid context structure. + */ +OM_uint32 KRB5_CALLCONV +gss_krb5_free_lucid_sec_context( + OM_uint32 *minor_status, + void *kctx) +{ + OM_uint32 retval; + krb5_error_code kret = 0; + int version; + + /* Assume failure */ + retval = GSS_S_FAILURE; + *minor_status = 0; + + if (!kctx) { + kret = EINVAL; + goto error_out; + } + + /* Verify pointer is valid lucid context */ + if (! kg_validate_lucidctx_id(kctx)) { + kret = G_VALIDATE_FAILED; + goto error_out; + } + + /* Determine version and call correct free routine */ + version = ((gss_krb5_lucid_context_version_t *)kctx)->version; + switch (version) { + case 1: + free_external_lucid_ctx_v1((gss_krb5_lucid_context_v1_t*) kctx); + break; + default: + kret = EINVAL; + break; + } + + if (kret) + goto error_out; + + /* Success! */ + (void)kg_delete_lucidctx_id(kctx); + *minor_status = 0; + retval = GSS_S_COMPLETE; + + return (retval); + +error_out: + if (*minor_status == 0) + *minor_status = (OM_uint32) kret; + return(retval); +} + +/* + * Local routines + */ + +static krb5_error_code +make_external_lucid_ctx_v1( + krb5_gss_ctx_id_rec * gctx, + unsigned int version, + void **out_ptr) +{ + gss_krb5_lucid_context_v1_t *lctx = NULL; + unsigned int bufsize = sizeof(gss_krb5_lucid_context_v1_t); + krb5_error_code retval; + + /* Allocate the structure */ + if ((lctx = xmalloc(bufsize)) == NULL) { + retval = ENOMEM; + goto error_out; + } + + memset(lctx, 0, bufsize); + + lctx->version = 1; + lctx->initiate = gctx->initiate ? 1 : 0; + lctx->endtime = gctx->endtime; + lctx->send_seq = gctx->seq_send; + lctx->recv_seq = gctx->seq_recv; + lctx->protocol = gctx->proto; + /* gctx->proto == 0 ==> rfc1964-style key information + gctx->proto == 1 ==> cfx-style (draft-ietf-krb-wg-gssapi-cfx-07) keys */ + if (gctx->proto == 0) { + lctx->rfc1964_kd.sign_alg = gctx->signalg; + lctx->rfc1964_kd.seal_alg = gctx->sealalg; + /* Copy key */ + if ((retval = copy_keyblock_to_lucid_key(gctx->subkey, + &lctx->rfc1964_kd.ctx_key))) + goto error_out; + } + else if (gctx->proto == 1) { + /* Copy keys */ + /* (subkey is always present, either a copy of the kerberos + session key or a subkey) */ + if ((retval = copy_keyblock_to_lucid_key(gctx->subkey, + &lctx->cfx_kd.ctx_key))) + goto error_out; + if (gctx->have_acceptor_subkey) { + if ((retval = copy_keyblock_to_lucid_key(gctx->enc, + &lctx->cfx_kd.acceptor_subkey))) + goto error_out; + lctx->cfx_kd.have_acceptor_subkey = 1; + } + } + else { + return EINVAL; /* XXX better error code? */ + } + + /* Success! */ + *out_ptr = lctx; + return 0; + +error_out: + if (lctx) { + free_external_lucid_ctx_v1(lctx); + } + return retval; + +} + +/* Copy the contents of a krb5_keyblock to a gss_krb5_lucid_key_t structure */ +static krb5_error_code +copy_keyblock_to_lucid_key( + krb5_keyblock *k5key, + gss_krb5_lucid_key_t *lkey) +{ + if (!k5key || !k5key->contents || k5key->length == 0) + return EINVAL; + + memset(lkey, 0, sizeof(gss_krb5_lucid_key_t)); + + /* Allocate storage for the key data */ + if ((lkey->data = xmalloc(k5key->length)) == NULL) { + return ENOMEM; + } + memcpy(lkey->data, k5key->contents, k5key->length); + lkey->length = k5key->length; + lkey->type = k5key->enctype; + + return 0; +} + + +/* Free any storage associated with a gss_krb5_lucid_key_t structure */ +static void +free_lucid_key_data( + gss_krb5_lucid_key_t *key) +{ + if (key) { + if (key->data && key->length) { + memset(key->data, 0, key->length); + xfree(key->data); + memset(key, 0, sizeof(gss_krb5_lucid_key_t)); + } + } +} +/* Free any storage associated with a gss_krb5_lucid_context_v1 structure */ +static void +free_external_lucid_ctx_v1( + gss_krb5_lucid_context_v1_t *ctx) +{ + if (ctx) { + if (ctx->protocol == 0) { + free_lucid_key_data(&ctx->rfc1964_kd.ctx_key); + } + if (ctx->protocol == 1) { + free_lucid_key_data(&ctx->cfx_kd.ctx_key); + if (ctx->cfx_kd.have_acceptor_subkey) + free_lucid_key_data(&ctx->cfx_kd.acceptor_subkey); + } + xfree(ctx); + ctx = NULL; + } +} diff --git a/usr/src/lib/gss_mechs/mech_krb5/mech/oid_ops.c b/usr/src/lib/gss_mechs/mech_krb5/mech/oid_ops.c new file mode 100644 index 0000000000..8d9dc12290 --- /dev/null +++ b/usr/src/lib/gss_mechs/mech_krb5/mech/oid_ops.c @@ -0,0 +1,504 @@ +#pragma ident "%Z%%M% %I% %E% SMI" + +/* + * lib/gssapi/generic/oid_ops.c + * + * Copyright 1995 by the Massachusetts Institute of Technology. + * All Rights Reserved. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + * + */ + +/* + * oid_ops.c - GSS-API V2 interfaces to manipulate OIDs + */ + +#include "mglueP.h" +#ifdef HAVE_UNISTD_H +#include <unistd.h> +#endif +#include <stdlib.h> +#include <string.h> +#include <stdio.h> +#include <gssapi_generic.h> +#include <errno.h> +#include <ctype.h> + +OM_uint32 +generic_gss_release_oid(minor_status, oid) + OM_uint32 *minor_status; + gss_OID *oid; +{ + if (minor_status) + *minor_status = 0; + + if (*oid == GSS_C_NO_OID) + return(GSS_S_COMPLETE); + + /* + * The V2 API says the following! + * + * gss_release_oid[()] will recognize any of the GSSAPI's own OID values, + * and will silently ignore attempts to free these OIDs; for other OIDs + * it will call the C free() routine for both the OID data and the + * descriptor. This allows applications to freely mix their own heap- + * allocated OID values with OIDs returned by GSS-API. + */ + + /* + * We use the official OID definitions instead of the unofficial OID + * defintions. But we continue to support the unofficial OID + * gss_nt_service_name just in case if some gss applications use + * the old OID. + */ + + if ((*oid != GSS_C_NT_USER_NAME) && + (*oid != GSS_C_NT_MACHINE_UID_NAME) && + (*oid != GSS_C_NT_STRING_UID_NAME) && + (*oid != GSS_C_NT_HOSTBASED_SERVICE) && + (*oid != GSS_C_NT_ANONYMOUS) && + (*oid != GSS_C_NT_EXPORT_NAME) && + (*oid != gss_nt_service_name)) { + free((*oid)->elements); + free(*oid); + } + *oid = GSS_C_NO_OID; + return(GSS_S_COMPLETE); +} + +OM_uint32 +generic_gss_copy_oid(minor_status, oid, new_oid) + OM_uint32 *minor_status; + gss_OID_desc * const oid; + gss_OID *new_oid; +{ + gss_OID p; + + *minor_status = 0; + + p = (gss_OID) malloc(sizeof(gss_OID_desc)); + if (!p) { + *minor_status = ENOMEM; + return GSS_S_FAILURE; + } + p->length = oid->length; + p->elements = malloc(p->length); + if (!p->elements) { + free(p); + return GSS_S_FAILURE; + } + memcpy(p->elements, oid->elements, p->length); + *new_oid = p; + return(GSS_S_COMPLETE); +} + + +OM_uint32 +generic_gss_create_empty_oid_set(minor_status, oid_set) + OM_uint32 *minor_status; + gss_OID_set *oid_set; +{ + *minor_status = 0; + + if ((*oid_set = (gss_OID_set) malloc(sizeof(gss_OID_set_desc)))) { + memset(*oid_set, 0, sizeof(gss_OID_set_desc)); + return(GSS_S_COMPLETE); + } + else { + *minor_status = ENOMEM; + return(GSS_S_FAILURE); + } +} + +OM_uint32 +generic_gss_add_oid_set_member(minor_status, member_oid, oid_set) + OM_uint32 *minor_status; + gss_OID_desc * const member_oid; + gss_OID_set *oid_set; +{ + gss_OID elist; + gss_OID lastel; + + *minor_status = 0; + + if (member_oid == NULL || member_oid->length == 0 || + member_oid->elements == NULL) + return (GSS_S_CALL_INACCESSIBLE_READ); + + elist = (*oid_set)->elements; + /* Get an enlarged copy of the array */ + if (((*oid_set)->elements = (gss_OID) malloc(((*oid_set)->count+1) * + sizeof(gss_OID_desc)))) { + /* Copy in the old junk */ + if (elist) + memcpy((*oid_set)->elements, + elist, + ((*oid_set)->count * sizeof(gss_OID_desc))); + + /* Duplicate the input element */ + lastel = &(*oid_set)->elements[(*oid_set)->count]; + if ((lastel->elements = + (void *) malloc((size_t) member_oid->length))) { + /* Success - copy elements */ + memcpy(lastel->elements, member_oid->elements, + (size_t) member_oid->length); + /* Set length */ + lastel->length = member_oid->length; + + /* Update count */ + (*oid_set)->count++; + if (elist) + free(elist); + *minor_status = 0; + return(GSS_S_COMPLETE); + } + else + free((*oid_set)->elements); + } + /* Failure - restore old contents of list */ + (*oid_set)->elements = elist; + *minor_status = ENOMEM; + return(GSS_S_FAILURE); +} + +OM_uint32 +generic_gss_test_oid_set_member(minor_status, member, set, present) + OM_uint32 *minor_status; + gss_OID_desc * const member; + gss_OID_set set; + int *present; +{ + OM_uint32 i; + int result; + + *minor_status = 0; + + if (member == NULL || set == NULL) + return (GSS_S_CALL_INACCESSIBLE_READ); + + if (present == NULL) + return (GSS_S_CALL_INACCESSIBLE_WRITE); + + result = 0; + for (i=0; i<set->count; i++) { + if ((set->elements[i].length == member->length) && + !memcmp(set->elements[i].elements, + member->elements, + (size_t) member->length)) { + result = 1; + break; + } + } + *present = result; + return(GSS_S_COMPLETE); +} + +/* + * OID<->string routines. These are uuuuugly. + */ +OM_uint32 +generic_gss_oid_to_str(minor_status, oid, oid_str) + OM_uint32 *minor_status; + gss_OID_desc * const oid; + gss_buffer_t oid_str; +{ + char numstr[128]; + OM_uint32 number; + int numshift; + OM_uint32 string_length; + OM_uint32 i; + unsigned char *cp; + char *bp; + + *minor_status = 0; + + if (oid == NULL || oid->length == 0 || oid->elements == NULL) + return (GSS_S_CALL_INACCESSIBLE_READ); + + if (oid_str == NULL) + return (GSS_S_CALL_INACCESSIBLE_WRITE); + + /* Decoded according to krb5/gssapi_krb5.c */ + + /* First determine the size of the string */ + string_length = 0; + number = 0; + numshift = 0; + cp = (unsigned char *) oid->elements; + number = (unsigned long) cp[0]; + snprintf(numstr, sizeof(numstr), "%lu ", (unsigned long)number/40); + string_length += strlen(numstr); + snprintf(numstr, sizeof(numstr), "%lu ", (unsigned long)number%40); + string_length += strlen(numstr); + for (i=1; i<oid->length; i++) { + if ((OM_uint32) (numshift+7) < (sizeof (OM_uint32)*8)) {/* XXX */ + number = (number << 7) | (cp[i] & 0x7f); + numshift += 7; + } + else { + return(GSS_S_FAILURE); + } + if ((cp[i] & 0x80) == 0) { + snprintf(numstr, sizeof(numstr), "%lu ", (unsigned long)number); + string_length += strlen(numstr); + number = 0; + numshift = 0; + } + } + /* + * If we get here, we've calculated the length of "n n n ... n ". Add 4 + * here for "{ " and "}\0". + */ + string_length += 4; + if ((bp = (char *) malloc(string_length))) { + strcpy(bp, "{ "); + number = (OM_uint32) cp[0]; + snprintf(numstr, sizeof(numstr), "%lu ", (unsigned long)number/40); + strcat(bp, numstr); + snprintf(numstr, sizeof(numstr), "%lu ", (unsigned long)number%40); + strcat(bp, numstr); + number = 0; + cp = (unsigned char *) oid->elements; + for (i=1; i<oid->length; i++) { + number = (number << 7) | (cp[i] & 0x7f); + if ((cp[i] & 0x80) == 0) { + snprintf(numstr, sizeof(numstr), "%lu ", (unsigned long)number); + strcat(bp, numstr); + number = 0; + } + } + strcat(bp, "}"); + oid_str->length = strlen(bp)+1; + oid_str->value = (void *) bp; + return(GSS_S_COMPLETE); + } + *minor_status = ENOMEM; + return(GSS_S_FAILURE); +} + +OM_uint32 +generic_gss_str_to_oid(minor_status, oid_str, oid) + OM_uint32 *minor_status; + gss_buffer_t oid_str; + gss_OID *oid; +{ + unsigned char *cp, *bp, *startp; + int brace; + long numbuf; + long onumbuf; + OM_uint32 nbytes; + int index; + unsigned char *op; + + *minor_status = 0; + + if (GSS_EMPTY_BUFFER(oid_str)) + return (GSS_S_CALL_INACCESSIBLE_READ); + + if (oid == NULL) + return (GSS_S_CALL_INACCESSIBLE_WRITE); + + brace = 0; + bp = oid_str->value; + cp = bp; + /* Skip over leading space */ + while ((bp < &cp[oid_str->length]) && isspace(*bp)) + bp++; + if (*bp == '{') { + brace = 1; + bp++; + } + while ((bp < &cp[oid_str->length]) && isspace(*bp)) + bp++; + startp = bp; + nbytes = 0; + + /* + * The first two numbers are chewed up by the first octet. + */ + if (sscanf((char *)bp, "%ld", &numbuf) != 1) { + *minor_status = EINVAL; + return(GSS_S_FAILURE); + } + while ((bp < &cp[oid_str->length]) && isdigit(*bp)) + bp++; + while ((bp < &cp[oid_str->length]) && isspace(*bp)) + bp++; + if (sscanf((char *)bp, "%ld", &numbuf) != 1) { + *minor_status = EINVAL; + return(GSS_S_FAILURE); + } + while ((bp < &cp[oid_str->length]) && isdigit(*bp)) + bp++; + while ((bp < &cp[oid_str->length]) && + (isspace(*bp) || *bp == '.')) + bp++; + nbytes++; + while (isdigit(*bp)) { + if (sscanf((char *)bp, "%ld", &numbuf) != 1) { + return(GSS_S_FAILURE); + } + while (numbuf) { + nbytes++; + numbuf >>= 7; + } + while ((bp < &cp[oid_str->length]) && isdigit(*bp)) + bp++; + while ((bp < &cp[oid_str->length]) && + (isspace(*bp) || *bp == '.')) + bp++; + } + if (brace && (*bp != '}')) { + return(GSS_S_FAILURE); + } + + /* + * Phew! We've come this far, so the syntax is good. + */ + if ((*oid = (gss_OID) malloc(sizeof(gss_OID_desc)))) { + if (((*oid)->elements = (void *) malloc(nbytes))) { + (*oid)->length = nbytes; + op = (unsigned char *) (*oid)->elements; + bp = startp; + (void) sscanf((char *)bp, "%ld", &numbuf); + while (isdigit(*bp)) + bp++; + while (isspace(*bp) || *bp == '.') + bp++; + onumbuf = 40*numbuf; + (void) sscanf((char *)bp, "%ld", &numbuf); + onumbuf += numbuf; + *op = (unsigned char) onumbuf; + op++; + while (isdigit(*bp)) + bp++; + while (isspace(*bp) || *bp == '.') + bp++; + while (isdigit(*bp)) { + (void) sscanf((char *)bp, "%ld", &numbuf); + nbytes = 0; + /* Have to fill in the bytes msb-first */ + onumbuf = numbuf; + while (numbuf) { + nbytes++; + numbuf >>= 7; + } + numbuf = onumbuf; + op += nbytes; + index = -1; + while (numbuf) { + op[index] = (unsigned char) numbuf & 0x7f; + if (index != -1) + op[index] |= 0x80; + index--; + numbuf >>= 7; + } + while (isdigit(*bp)) + bp++; + while (isspace(*bp) || *bp == '.') + bp++; + } + return(GSS_S_COMPLETE); + } + else { + free(*oid); + *oid = GSS_C_NO_OID; + } + } + return(GSS_S_FAILURE); +} + +/* + * Copyright 1993 by OpenVision Technologies, Inc. + * + * Permission to use, copy, modify, distribute, and sell this software + * and its documentation for any purpose is hereby granted without fee, + * provided that the above copyright notice appears in all copies and + * that both that copyright notice and this permission notice appear in + * supporting documentation, and that the name of OpenVision not be used + * in advertising or publicity pertaining to distribution of the software + * without specific, written prior permission. OpenVision makes no + * representations about the suitability of this software for any + * purpose. It is provided "as is" without express or implied warranty. + * + * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, + * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO + * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR + * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF + * USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR + * OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ +OM_uint32 +gssint_copy_oid_set( + OM_uint32 *minor_status, + const gss_OID_set_desc * const oidset, + gss_OID_set *new_oidset + ) +{ + gss_OID_set_desc *copy; + OM_uint32 minor = 0; + OM_uint32 major = GSS_S_COMPLETE; + OM_uint32 index; + + if (minor_status) + *minor_status = 0; + + if (oidset == NULL) + return (GSS_S_CALL_INACCESSIBLE_READ); + + if (new_oidset == NULL) + return (GSS_S_CALL_INACCESSIBLE_WRITE); + + *new_oidset = NULL; + + if ((copy = (gss_OID_set_desc *) calloc(1, sizeof (*copy))) == NULL) { + major = GSS_S_FAILURE; + goto done; + } + + if ((copy->elements = (gss_OID_desc *) + calloc(oidset->count, sizeof (*copy->elements))) == NULL) { + major = GSS_S_FAILURE; + goto done; + } + copy->count = oidset->count; + + for (index = 0; index < copy->count; index++) { + gss_OID_desc *out = ©->elements[index]; + gss_OID_desc *in = &oidset->elements[index]; + + if ((out->elements = (void *) malloc(in->length)) == NULL) { + major = GSS_S_FAILURE; + goto done; + } + (void) memcpy(out->elements, in->elements, in->length); + out->length = in->length; + } + + *new_oidset = copy; +done: + if (major != GSS_S_COMPLETE) { + (void) gss_release_oid_set(&minor, ©); + } + + return (major); +} diff --git a/usr/src/lib/gss_mechs/mech_krb5/mech/pname_to_uid.c b/usr/src/lib/gss_mechs/mech_krb5/mech/pname_to_uid.c index da4bb779bf..ac09ef4d69 100644 --- a/usr/src/lib/gss_mechs/mech_krb5/mech/pname_to_uid.c +++ b/usr/src/lib/gss_mechs/mech_krb5/mech/pname_to_uid.c @@ -1,5 +1,5 @@ /* - * Copyright 2004 Sun Microsystems, Inc. All rights reserved. + * Copyright 2007 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -33,29 +33,32 @@ * GSS_S_FAILURE is returned on failure. */ OM_uint32 -krb5_pname_to_uid(ctxt, minor, pname, uidOut) -void * ctxt; +krb5_pname_to_uid(minor, pname, uidOut) OM_uint32 *minor; const gss_name_t pname; uid_t *uidOut; { - krb5_context context = (krb5_context)ctxt; + krb5_context context; char lname[256]; struct passwd *pw; krb5_error_code stat; - mutex_lock(&krb5_mutex); if (! kg_validate_name(pname)) { - mutex_unlock(&krb5_mutex); *minor = (OM_uint32) G_VALIDATE_FAILED; return (GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME); } + stat = krb5_init_context(&context); + if (stat) { + *minor = stat; + return GSS_S_FAILURE; + } + stat = krb5_aname_to_localname(context, (krb5_principal) pname, sizeof (lname), lname); - mutex_unlock(&krb5_mutex); - + krb5_free_context(context); + context = NULL; if (stat) return (GSS_S_FAILURE); diff --git a/usr/src/lib/gss_mechs/mech_krb5/mech/process_context_token.c b/usr/src/lib/gss_mechs/mech_krb5/mech/process_context_token.c index 7b943a4493..9e312adbf5 100644 --- a/usr/src/lib/gss_mechs/mech_krb5/mech/process_context_token.c +++ b/usr/src/lib/gss_mechs/mech_krb5/mech/process_context_token.c @@ -1,13 +1,8 @@ -/* - * Copyright 2003 Sun Microsystems, Inc. All rights reserved. - * Use is subject to license terms. - */ - #pragma ident "%Z%%M% %I% %E% SMI" /* * Copyright 1993 by OpenVision Technologies, Inc. - * + * * Permission to use, copy, modify, distribute, and sell this software * and its documentation for any purpose is hereby granted without fee, * provided that the above copyright notice appears in all copies and @@ -17,7 +12,7 @@ * without specific, written prior permission. OpenVision makes no * representations about the suitability of this software for any * purpose. It is provided "as is" without express or implied warranty. - * + * * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR @@ -27,63 +22,45 @@ * PERFORMANCE OF THIS SOFTWARE. */ -#include <gssapiP_krb5.h> +#include "gssapiP_krb5.h" /* - * $Id: process_context_token.c,v 1.10 1996/07/22 20:34:23 marc Exp $ + * $Id: process_context_token.c 16171 2004-03-15 17:45:01Z raeburn $ */ OM_uint32 -krb5_gss_process_context_token(ct, minor_status, context_handle, +krb5_gss_process_context_token(minor_status, context_handle, token_buffer) - void *ct; OM_uint32 *minor_status; gss_ctx_id_t context_handle; gss_buffer_t token_buffer; { - krb5_context context; krb5_gss_ctx_id_rec *ctx; OM_uint32 majerr; - /* Solaris Kerberos: for MT safety, we avoid the use of a default - * context via kg_get_context() */ -#if 0 - if (GSS_ERROR(kg_get_context(minor_status, &context))) - return(GSS_S_FAILURE); -#endif - - mutex_lock(&krb5_mutex); - context = ct; - /* validate the context handle */ if (! kg_validate_ctx_id(context_handle)) { *minor_status = (OM_uint32) G_VALIDATE_FAILED; - mutex_unlock(&krb5_mutex); return(GSS_S_NO_CONTEXT); } - ctx = (krb5_gss_ctx_id_rec *) context_handle; + ctx = (krb5_gss_ctx_id_t) context_handle; if (! ctx->established) { *minor_status = KG_CTX_INCOMPLETE; - mutex_unlock(&krb5_mutex); return(GSS_S_NO_CONTEXT); } /* "unseal" the token */ - if (GSS_ERROR(majerr = kg_unseal(context, minor_status, (gss_ctx_id_t)ctx, + if (GSS_ERROR(majerr = kg_unseal(minor_status, context_handle, token_buffer, GSS_C_NO_BUFFER, NULL, NULL, - KG_TOK_DEL_CTX))) { - mutex_unlock(&krb5_mutex); + KG_TOK_DEL_CTX))) return(majerr); - } /* that's it. delete the context */ - majerr = krb5_gss_delete_sec_context_no_lock(context, minor_status, - &context_handle, GSS_C_NO_BUFFER); - mutex_unlock(&krb5_mutex); - return(majerr); + return(krb5_gss_delete_sec_context(minor_status, &context_handle, + GSS_C_NO_BUFFER)); } diff --git a/usr/src/lib/gss_mechs/mech_krb5/mech/rel_buffer.c b/usr/src/lib/gss_mechs/mech_krb5/mech/rel_buffer.c index 496b4ce09b..6057bfaf3e 100644 --- a/usr/src/lib/gss_mechs/mech_krb5/mech/rel_buffer.c +++ b/usr/src/lib/gss_mechs/mech_krb5/mech/rel_buffer.c @@ -1,15 +1,32 @@ +#pragma ident "%Z%%M% %I% %E% SMI" + /* - * Copyright 1996-2002 Sun Microsystems, Inc. All rights reserved. - * Use is subject to license terms. + * Copyright 1996 by Sun Microsystems, Inc. + * + * Permission to use, copy, modify, distribute, and sell this software + * and its documentation for any purpose is hereby granted without fee, + * provided that the above copyright notice appears in all copies and + * that both that copyright notice and this permission notice appear in + * supporting documentation, and that the name of Sun Microsystems not be used + * in advertising or publicity pertaining to distribution of the software + * without specific, written prior permission. Sun Microsystems makes no + * representations about the suitability of this software for any + * purpose. It is provided "as is" without express or implied warranty. + * + * SUN MICROSYSTEMS DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, + * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO + * EVENT SHALL SUN MICROSYSTEMS BE LIABLE FOR ANY SPECIAL, INDIRECT OR + * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF + * USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR + * OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. */ -#pragma ident "%Z%%M% %I% %E% SMI" - /* * glue routine for gss_release_buffer */ -#include <gssapiP_generic.h> +#include "gssapiP_generic.h" #include <stdio.h> #ifdef HAVE_STDLIB_H @@ -30,8 +47,7 @@ generic_gss_release_buffer (minor_status, if (buffer == GSS_C_NO_BUFFER) return(GSS_S_COMPLETE); - if ((buffer->length) && - (buffer->value)) { + if (buffer->value) { free(buffer->value); buffer->length = 0; buffer->value = NULL; diff --git a/usr/src/lib/gss_mechs/mech_krb5/mech/rel_cred.c b/usr/src/lib/gss_mechs/mech_krb5/mech/rel_cred.c index f196eff5f1..5cc85d0f27 100644 --- a/usr/src/lib/gss_mechs/mech_krb5/mech/rel_cred.c +++ b/usr/src/lib/gss_mechs/mech_krb5/mech/rel_cred.c @@ -1,13 +1,8 @@ -/* - * Copyright 2005 Sun Microsystems, Inc. All rights reserved. - * Use is subject to license terms. - */ - #pragma ident "%Z%%M% %I% %E% SMI" /* * Copyright 1993 by OpenVision Technologies, Inc. - * + * * Permission to use, copy, modify, distribute, and sell this software * and its documentation for any purpose is hereby granted without fee, * provided that the above copyright notice appears in all copies and @@ -17,7 +12,7 @@ * without specific, written prior permission. OpenVision makes no * representations about the suitability of this software for any * purpose. It is provided "as is" without express or implied warranty. - * + * * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR @@ -27,55 +22,44 @@ * PERFORMANCE OF THIS SOFTWARE. */ -#include <gssapiP_krb5.h> -#include <k5-int.h> +#include "gssapiP_krb5.h" -OM_uint32 -krb5_gss_release_cred(ctx, minor_status, cred_handle) - void *ctx; +OM_uint32 +krb5_gss_release_cred(minor_status, cred_handle) OM_uint32 *minor_status; gss_cred_id_t *cred_handle; { - OM_uint32 status; - - mutex_lock(&krb5_mutex); - status = krb5_gss_release_cred_no_lock(ctx, minor_status, cred_handle); - mutex_unlock(&krb5_mutex); - return(status); -} - -OM_uint32 -krb5_gss_release_cred_no_lock(ctx, minor_status, cred_handle) - void *ctx; - OM_uint32 *minor_status; - gss_cred_id_t *cred_handle; -{ - krb5_context context = ctx; + krb5_context context; krb5_gss_cred_id_t cred; krb5_error_code code1, code2, code3; - /* Solaris Kerberos: for MT safety, we avoid the use of a default - * context via kg_get_context() */ -#if 0 - if (GSS_ERROR(kg_get_context(minor_status, &context))) - return(GSS_S_FAILURE); -#endif - - if (*cred_handle == GSS_C_NO_CREDENTIAL) - { - /* Solaris Kerberos: the followin function does nothing */ - return(kg_release_defcred(minor_status)); + code1 = krb5_gss_init_context(&context); + if (code1) { + *minor_status = code1; + return GSS_S_FAILURE; + } + + if (*cred_handle == GSS_C_NO_CREDENTIAL) { + *minor_status = 0; + krb5_free_context(context); + return(GSS_S_COMPLETE); } if (! kg_delete_cred_id(*cred_handle)) { *minor_status = (OM_uint32) G_VALIDATE_FAILED; + krb5_free_context(context); return(GSS_S_CALL_BAD_STRUCTURE|GSS_S_NO_CRED); } cred = (krb5_gss_cred_id_t)*cred_handle; + k5_mutex_destroy(&cred->lock); + /* ignore error destroying mutex */ + + if (cred->ccache) { /* + * Solaris Kerberos * If the ccache is a MEMORY ccache then this credential handle * should be the only way to get to it, at least until the advent * of a GSS_Duplicate_cred() (which is needed and may well be @@ -101,7 +85,12 @@ krb5_gss_release_cred_no_lock(ctx, minor_status, cred_handle) code3 = 0; if (cred->princ) krb5_free_principal(context, cred->princ); + + if (cred->req_enctypes) + free(cred->req_enctypes); + xfree(cred); + krb5_free_context(context); *cred_handle = NULL; diff --git a/usr/src/lib/gss_mechs/mech_krb5/mech/rel_name.c b/usr/src/lib/gss_mechs/mech_krb5/mech/rel_name.c index 7ddd13172e..2f472a4183 100644 --- a/usr/src/lib/gss_mechs/mech_krb5/mech/rel_name.c +++ b/usr/src/lib/gss_mechs/mech_krb5/mech/rel_name.c @@ -1,13 +1,8 @@ -/* - * Copyright 2005 Sun Microsystems, Inc. All rights reserved. - * Use is subject to license terms. - */ - #pragma ident "%Z%%M% %I% %E% SMI" /* * Copyright 1993 by OpenVision Technologies, Inc. - * + * * Permission to use, copy, modify, distribute, and sell this software * and its documentation for any purpose is hereby granted without fee, * provided that the above copyright notice appears in all copies and @@ -17,7 +12,7 @@ * without specific, written prior permission. OpenVision makes no * representations about the suitability of this software for any * purpose. It is provided "as is" without express or implied warranty. - * + * * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR @@ -27,46 +22,32 @@ * PERFORMANCE OF THIS SOFTWARE. */ -#include <gssapiP_krb5.h> - -OM_uint32 -krb5_gss_release_name(ctx, minor_status, input_name) - void *ctx; - OM_uint32 *minor_status; - gss_name_t *input_name; -{ - OM_uint32 rc; - - mutex_lock(&krb5_mutex); - rc = krb5_gss_release_name_no_lock(ctx, minor_status, input_name); - mutex_unlock(&krb5_mutex); - return (rc); -} +#include "gssapiP_krb5.h" OM_uint32 -krb5_gss_release_name_no_lock(ctx, minor_status, input_name) - void *ctx; +krb5_gss_release_name(minor_status, input_name) OM_uint32 *minor_status; gss_name_t *input_name; { - krb5_context context = ctx; - - /* Solaris Kerberos: for MT safety, we avoid the use of a default - * context via kg_get_context() */ -#if 0 - if (GSS_ERROR(kg_get_context(minor_status, &context))) - return(GSS_S_FAILURE); -#endif + krb5_context context; + krb5_error_code code; + code = krb5_gss_init_context(&context); + if (code) { + *minor_status = code; + return GSS_S_FAILURE; + } if (! kg_validate_name(*input_name)) { *minor_status = (OM_uint32) G_VALIDATE_FAILED; + krb5_free_context(context); return(GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME); } (void)kg_delete_name(*input_name); krb5_free_principal(context, (krb5_principal) *input_name); + krb5_free_context(context); *input_name = (gss_name_t) NULL; diff --git a/usr/src/lib/gss_mechs/mech_krb5/mech/rel_oid.c b/usr/src/lib/gss_mechs/mech_krb5/mech/rel_oid.c index 294f2fbece..395ba68818 100644 --- a/usr/src/lib/gss_mechs/mech_krb5/mech/rel_oid.c +++ b/usr/src/lib/gss_mechs/mech_krb5/mech/rel_oid.c @@ -1,8 +1,3 @@ -/* - * Copyright 2002 Sun Microsystems, Inc. All rights reserved. - * Use is subject to license terms. - */ - #pragma ident "%Z%%M% %I% %E% SMI" /* @@ -23,7 +18,10 @@ * this permission notice appear in supporting documentation, and that * the name of M.I.T. not be used in advertising or publicity pertaining * to distribution of the software without specific, written prior - * permission. M.I.T. makes no representations about the suitability of + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. * @@ -32,7 +30,12 @@ /* * rel_oid.c - Release an OID. */ -#include <gssapiP_krb5.h> +#include "gssapiP_krb5.h" +#include "mglueP.h" + +OM_uint32 krb5_gss_internal_release_oid (OM_uint32 *, /* minor_status */ + gss_OID * /* oid */ + ); OM_uint32 krb5_gss_release_oid(minor_status, oid) @@ -48,9 +51,9 @@ krb5_gss_release_oid(minor_status, oid) * descriptor. This allows applications to freely mix their own heap- * allocated OID values with OIDs returned by GSS-API. */ - if (krb5_gss_internal_release_oid(NULL, minor_status, oid) != GSS_S_COMPLETE) { + if (krb5_gss_internal_release_oid(minor_status, oid) != GSS_S_COMPLETE) { /* Pawn it off on the generic routine */ - return(gss_release_oid(minor_status, oid)); + return(generic_gss_release_oid(minor_status, oid)); } else { *oid = GSS_C_NO_OID; @@ -59,10 +62,8 @@ krb5_gss_release_oid(minor_status, oid) } } -/*ARGSUSED*/ OM_uint32 -krb5_gss_internal_release_oid(ct, minor_status, oid) - void *ct; +krb5_gss_internal_release_oid(minor_status, oid) OM_uint32 *minor_status; gss_OID *oid; { @@ -71,9 +72,9 @@ krb5_gss_internal_release_oid(ct, minor_status, oid) * return GSS_S_CONTINUE_NEEDED for any OIDs it does not recognize. */ - if ((*oid != gss_mech_krb5_v2) && - (*oid != gss_mech_krb5) && + if ((*oid != gss_mech_krb5) && (*oid != gss_mech_krb5_old) && + (*oid != gss_mech_krb5_wrong) && (*oid != gss_nt_krb5_name) && (*oid != gss_nt_krb5_principal)) { /* We don't know about this OID */ diff --git a/usr/src/lib/gss_mechs/mech_krb5/mech/rel_oid_set.c b/usr/src/lib/gss_mechs/mech_krb5/mech/rel_oid_set.c index 9a4b717e76..9ee331f538 100644 --- a/usr/src/lib/gss_mechs/mech_krb5/mech/rel_oid_set.c +++ b/usr/src/lib/gss_mechs/mech_krb5/mech/rel_oid_set.c @@ -1,15 +1,32 @@ +#pragma ident "%Z%%M% %I% %E% SMI" + /* - * Copyright 1996-2002 Sun Microsystems, Inc. All rights reserved. - * Use is subject to license terms. + * Copyright 1996 by Sun Microsystems, Inc. + * + * Permission to use, copy, modify, distribute, and sell this software + * and its documentation for any purpose is hereby granted without fee, + * provided that the above copyright notice appears in all copies and + * that both that copyright notice and this permission notice appear in + * supporting documentation, and that the name of Sun Microsystems not be used + * in advertising or publicity pertaining to distribution of the software + * without specific, written prior permission. Sun Microsystems makes no + * representations about the suitability of this software for any + * purpose. It is provided "as is" without express or implied warranty. + * + * SUN MICROSYSTEMS DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, + * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO + * EVENT SHALL SUN MICROSYSTEMS BE LIABLE FOR ANY SPECIAL, INDIRECT OR + * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF + * USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR + * OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. */ -#pragma ident "%Z%%M% %I% %E% SMI" - /* * glue routine for gss_release_oid_set */ -#include <gssapiP_generic.h> +#include "gssapiP_generic.h" #include <stdio.h> #ifdef HAVE_STDLIB_H @@ -39,6 +56,6 @@ generic_gss_release_oid_set (minor_status, free(*set); *set = GSS_C_NULL_OID_SET; - + return(GSS_S_COMPLETE); } diff --git a/usr/src/lib/gss_mechs/mech_krb5/mech/set_allowable_enctypes.c b/usr/src/lib/gss_mechs/mech_krb5/mech/set_allowable_enctypes.c new file mode 100644 index 0000000000..2cd744aa95 --- /dev/null +++ b/usr/src/lib/gss_mechs/mech_krb5/mech/set_allowable_enctypes.c @@ -0,0 +1,135 @@ +#pragma ident "%Z%%M% %I% %E% SMI" + +/* + * lib/gssapi/krb5/set_allowable_enctypes.c + * + * Copyright 2004 by the Massachusetts Institute of Technology. + * All Rights Reserved. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + * + * krb5_gss_set_allowable_enctypes() + */ + +/* + * gss_krb5_set_allowable_enctypes + * + * This function may be called by a context initiator after calling + * gss_acquire_cred(), but before calling gss_init_sec_context(), + * to restrict the set of enctypes which will be negotiated during + * context establishment to those in the provided array. + * + * 'cred_handle' must be a valid credential handle obtained via + * gss_acquire_cred(). It may not be GSS_C_NO_CREDENTIAL. + * gss_acquire_cred() may be called with GSS_C_NO_CREDENTIAL + * to get a handle to the default credential. + * + * The purpose of this function is to limit the keys that may + * be exported via gss_krb5_export_lucid_sec_context(); thus it + * should limit the enctypes of all keys that will be needed + * after the security context has been established. + * (i.e. context establishment may use a session key with a + * stronger enctype than in the provided array, however a + * subkey must be established within the enctype limits + * established by this function.) + * + */ + +#include "gssapiP_krb5.h" +#ifdef HAVE_STRING_H +#include <string.h> +#else +#include <strings.h> +#endif +#include "gssapi_krb5.h" + +OM_uint32 KRB5_CALLCONV +gss_krb5int_set_allowable_enctypes(OM_uint32 *minor_status, + gss_cred_id_t cred_handle, + OM_uint32 num_ktypes, + krb5_enctype *ktypes) +{ + int i; + krb5_enctype * new_ktypes; + OM_uint32 major_status; + krb5_gss_cred_id_t cred; + krb5_error_code kerr = 0; + OM_uint32 temp_status; + + /* Assume a failure */ + *minor_status = 0; + major_status = GSS_S_FAILURE; + + /* verify and valildate cred handle */ + if (cred_handle == GSS_C_NO_CREDENTIAL) { + kerr = KRB5_NOCREDS_SUPPLIED; + goto error_out; + } + major_status = krb5_gss_validate_cred(&temp_status, cred_handle); + if (GSS_ERROR(major_status)) { + kerr = temp_status; + goto error_out; + } + cred = (krb5_gss_cred_id_t) cred_handle; + + if (ktypes) { + for (i = 0; i < num_ktypes && ktypes[i]; i++) { + if (!krb5_c_valid_enctype(ktypes[i])) { + kerr = KRB5_PROG_ETYPE_NOSUPP; + goto error_out; + } + } + } else { + kerr = k5_mutex_lock(&cred->lock); + if (kerr) + goto error_out; + if (cred->req_enctypes) + free(cred->req_enctypes); + cred->req_enctypes = NULL; + k5_mutex_unlock(&cred->lock); + return GSS_S_COMPLETE; + } + + /* Copy the requested ktypes into the cred structure */ + if ((new_ktypes = (krb5_enctype *)malloc(sizeof(krb5_enctype) * (i + 1)))) { + memcpy(new_ktypes, ktypes, sizeof(krb5_enctype) * i); + new_ktypes[i] = 0; /* "null-terminate" the list */ + } + else { + kerr = ENOMEM; + goto error_out; + } + kerr = k5_mutex_lock(&cred->lock); + if (kerr) { + free(new_ktypes); + goto error_out; + } + if (cred->req_enctypes) + free(cred->req_enctypes); + cred->req_enctypes = new_ktypes; + k5_mutex_unlock(&cred->lock); + + /* Success! */ + return GSS_S_COMPLETE; + +error_out: + *minor_status = kerr; + return(major_status); +} diff --git a/usr/src/lib/gss_mechs/mech_krb5/mech/set_ccache.c b/usr/src/lib/gss_mechs/mech_krb5/mech/set_ccache.c index d17e14233d..e6f784c049 100644 --- a/usr/src/lib/gss_mechs/mech_krb5/mech/set_ccache.c +++ b/usr/src/lib/gss_mechs/mech_krb5/mech/set_ccache.c @@ -1,28 +1,99 @@ +/* + * Copyright 2007 Sun Microsystems, Inc. All rights reserved. + * Use is subject to license terms. + */ + #pragma ident "%Z%%M% %I% %E% SMI" -#include <gssapiP_krb5.h> +/* + * lib/gssapi/krb5/set_ccache.c + * + * Copyright 1999, 2003 by the Massachusetts Institute of Technology. + * All Rights Reserved. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + * + * Set ccache name used by gssapi, and optionally obtain old ccache + * name. Caller should not free returned name. + */ + +#include <string.h> +#include "gssapiP_krb5.h" +#include "gss_libinit.h" -GSS_DLLIMP OM_uint32 KRB5_CALLCONV +OM_uint32 KRB5_CALLCONV gss_krb5_ccache_name(minor_status, name, out_name) OM_uint32 *minor_status; const char *name; const char **out_name; { - krb5_context context; - krb5_error_code retval; - OM_uint32 foo_stat; + char *old_name = NULL; + OM_uint32 err = 0; + OM_uint32 minor = 0; + char *gss_out_name; + + err = gssint_initialize_library(); + if (err) { + *minor_status = err; + return GSS_S_FAILURE; + } - if (GSS_ERROR(kg_get_context(minor_status, &context))) - return (GSS_S_FAILURE); + gss_out_name = k5_getspecific(K5_KEY_GSS_KRB5_SET_CCACHE_OLD_NAME); - if (out_name) - *out_name = krb5_cc_default_name(context); + if (out_name) { + const char *tmp_name = NULL; - retval = krb5_cc_set_default_name(context, name); - if (retval) { - *minor_status = retval; - return GSS_S_FAILURE; + if (!err) { + kg_get_ccache_name (&err, &tmp_name); + } + if (!err) { + old_name = gss_out_name; + gss_out_name = (char *)tmp_name; + } + } + /* If out_name was NULL, we keep the same gss_out_name value, and + don't free up any storage (leave old_name NULL). */ + + if (!err) + kg_set_ccache_name (&err, name); + + minor = k5_setspecific(K5_KEY_GSS_KRB5_SET_CCACHE_OLD_NAME, gss_out_name); + if (minor) { + /* Um. Now what? */ + if (err == 0) { + err = minor; } - kg_release_defcred(&foo_stat); - return GSS_S_COMPLETE; + free(gss_out_name); + gss_out_name = NULL; + } + + if (!err) { + if (out_name) { + *out_name = gss_out_name; + } + } + + if (old_name != NULL) { + free (old_name); + } + + *minor_status = err; + return (*minor_status == 0) ? GSS_S_COMPLETE : GSS_S_FAILURE; } diff --git a/usr/src/lib/gss_mechs/mech_krb5/mech/store_cred.c b/usr/src/lib/gss_mechs/mech_krb5/mech/store_cred.c index 4a923941f7..dc2c955f8c 100644 --- a/usr/src/lib/gss_mechs/mech_krb5/mech/store_cred.c +++ b/usr/src/lib/gss_mechs/mech_krb5/mech/store_cred.c @@ -87,33 +87,9 @@ cleanup: } OM_uint32 -krb5_gss_store_cred(ct, minor_status, input_cred, cred_usage, desired_mech, - overwrite_cred, default_cred, elements_stored, - cred_usage_stored) -void *ct; -OM_uint32 *minor_status; -const gss_cred_id_t input_cred; -gss_cred_usage_t cred_usage; -gss_OID desired_mech; -OM_uint32 overwrite_cred; -OM_uint32 default_cred; -gss_OID_set *elements_stored; -gss_cred_usage_t *cred_usage_stored; -{ - OM_uint32 ret; - mutex_lock(&krb5_mutex); - ret = krb5_gss_store_cred_no_lock(ct, minor_status, input_cred, - cred_usage, desired_mech, overwrite_cred, default_cred, - elements_stored, cred_usage_stored); - mutex_unlock(&krb5_mutex); - return (ret); -} - -OM_uint32 -krb5_gss_store_cred_no_lock(ct, minor_status, input_cred, cred_usage, +krb5_gss_store_cred(minor_status, input_cred, cred_usage, desired_mech, overwrite_cred, default_cred, elements_stored, cred_usage_stored) -void *ct; OM_uint32 *minor_status; const gss_cred_id_t input_cred; gss_cred_usage_t cred_usage; @@ -124,7 +100,7 @@ gss_OID_set *elements_stored; gss_cred_usage_t *cred_usage_stored; { OM_uint32 maj, maj2, min; - krb5_context ctx = (krb5_context)ct; + krb5_context ctx = NULL; krb5_gss_cred_id_t cred = (krb5_gss_cred_id_t)input_cred; krb5_gss_cred_id_t cur_cred = (krb5_gss_cred_id_t)GSS_C_NO_CREDENTIAL; gss_OID_set desired_mechs = GSS_C_NULL_OID_SET; @@ -162,8 +138,14 @@ gss_cred_usage_t *cred_usage_stored; if (cred_usage == GSS_C_BOTH) cred_usage = GSS_C_INITIATE; + min = krb5_gss_init_context(&ctx); + if (min) { + *minor_status = min; + return (GSS_S_FAILURE); + } + /* * Find out the name, lifetime and cred usage of the input cred */ - maj = krb5_gss_inquire_cred_no_lock(ctx, minor_status, input_cred, + maj = krb5_gss_inquire_cred(minor_status, input_cred, &in_name, &in_time_rec, &in_usage, NULL); if (GSS_ERROR(maj)) goto cleanup; @@ -205,7 +187,7 @@ gss_cred_usage_t *cred_usage_stored; * then we must be careful not to overwrite an existing * unexpired credential. */ - maj2 = krb5_gss_acquire_cred_no_lock(ctx, &min, + maj2 = krb5_gss_acquire_cred(&min, (default_cred) ? GSS_C_NO_NAME : in_name, 0, desired_mechs, cred_usage, (gss_cred_id_t *)&cur_cred, NULL, &cur_time_rec); @@ -245,10 +227,13 @@ cleanup: if (desired_mechs != GSS_C_NULL_OID_SET) (void) gss_release_oid_set(&min, &desired_mechs); if (cur_cred != (krb5_gss_cred_id_t)GSS_C_NO_CREDENTIAL) - (void) krb5_gss_release_cred_no_lock(ctx, &min, + (void) krb5_gss_release_cred(&min, (gss_cred_id_t *)&cur_cred); if (in_name != GSS_C_NO_NAME) - (void) krb5_gss_release_name_no_lock(ctx, &min, &in_name); + (void) krb5_gss_release_name(&min, &in_name); + + if (ctx) + krb5_free_context(ctx); return (maj); } diff --git a/usr/src/lib/gss_mechs/mech_krb5/mech/util_buffer.c b/usr/src/lib/gss_mechs/mech_krb5/mech/util_buffer.c index 36e7a3885d..aed035fe6e 100644 --- a/usr/src/lib/gss_mechs/mech_krb5/mech/util_buffer.c +++ b/usr/src/lib/gss_mechs/mech_krb5/mech/util_buffer.c @@ -1,11 +1,6 @@ #pragma ident "%Z%%M% %I% %E% SMI" /* - * Copyright 2003 Sun Microsystems, Inc. All rights reserved. - * Use is subject to license terms. - */ - -/* * Copyright 1993 by OpenVision Technologies, Inc. * * Permission to use, copy, modify, distribute, and sell this software @@ -28,10 +23,10 @@ */ /* - * $Id: util_buffer.c,v 1.6 1996/07/22 20:33:19 marc Exp $ + * $Id: util_buffer.c 11001 1998-10-30 02:56:35Z marc $ */ -#include <gssapiP_generic.h> +#include "gssapiP_generic.h" #include <string.h> /* return nonzero on success, 0 on failure diff --git a/usr/src/lib/gss_mechs/mech_krb5/mech/util_cksum.c b/usr/src/lib/gss_mechs/mech_krb5/mech/util_cksum.c index 14bc7d13af..ae7bf11e38 100644 --- a/usr/src/lib/gss_mechs/mech_krb5/mech/util_cksum.c +++ b/usr/src/lib/gss_mechs/mech_krb5/mech/util_cksum.c @@ -1,4 +1,10 @@ +/* + * Copyright 2007 Sun Microsystems, Inc. All rights reserved. + * Use is subject to license terms. + */ + #pragma ident "%Z%%M% %I% %E% SMI" + /* * Copyright 1993 by OpenVision Technologies, Inc. * @@ -21,15 +27,12 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* - * $Id: util_cksum.c,v 1.14.6.1 2000/04/22 03:01:36 raeburn Exp $ - */ - -#include <gssapiP_krb5.h> +#include "gssapiP_krb5.h" +#ifdef HAVE_MEMORY_H #include <memory.h> +#endif /* Checksumming the channel bindings always uses plain MD5. */ -/*ARGSUSED*/ krb5_error_code kg_checksum_channel_bindings(context, cb, cksum, bigend) krb5_context context; @@ -37,14 +40,17 @@ kg_checksum_channel_bindings(context, cb, cksum, bigend) krb5_checksum *cksum; int bigend; { - int len; - char *buf, *ptr; + size_t len; + char *buf = 0; + char *ptr; size_t sumlen; krb5_data plaind; krb5_error_code code; + void *temp; - /* initialize the the cksum and allocate the contents buffer */ - if (code = krb5_c_checksum_length(context, CKSUMTYPE_RSA_MD5, &sumlen)) + /* initialize the the cksum */ + code = krb5_c_checksum_length(context, CKSUMTYPE_RSA_MD5, &sumlen); + if (code) return(code); cksum->checksum_type = CKSUMTYPE_RSA_MD5; @@ -86,15 +92,46 @@ kg_checksum_channel_bindings(context, cb, cksum, bigend) plaind.length = len; plaind.data = buf; - if (code = krb5_c_make_checksum(context, CKSUMTYPE_RSA_MD5, 0, 0, - &plaind, cksum)) { - xfree(cksum->contents); - xfree(buf); - return(code); +#if 0 + /* + * SUNW15resync + * MIT 1.5-6 seems/is wrong here in 2 ways + * - why free then alloc contents again? + * - calling krb5_free_checksum_contents results in cksum->length + * getting set to 0 which causes ftp to fail + * so lets stick w/oldey-but-goodey code. + */ + code = krb5_c_make_checksum(context, CKSUMTYPE_RSA_MD5, 0, 0, + &plaind, cksum); + if (code) + goto cleanup; + + if ((temp = xmalloc(cksum->length)) == NULL) { + krb5_free_checksum_contents(context, cksum); + code = ENOMEM; + goto cleanup; } - /* success */ + memcpy(temp, cksum->contents, cksum->length); + krb5_free_checksum_contents(context, cksum); + cksum->contents = (krb5_octet *)temp; + /* SUNW15resync - need to reset cksum->length here */ - xfree(buf); - return(0); + /* success */ + cleanup: + if (buf) + xfree(buf); +#endif /* 0 */ + + if (code = krb5_c_make_checksum(context, CKSUMTYPE_RSA_MD5, 0, 0, + &plaind, cksum)) { + xfree(cksum->contents); /* SUNW15resync -just in case not already free */ + xfree(buf); + return(code); + } + + /* success */ + + xfree(buf); + return code; } diff --git a/usr/src/lib/gss_mechs/mech_krb5/mech/util_localhost.c b/usr/src/lib/gss_mechs/mech_krb5/mech/util_localhost.c index 420add58ff..93e0bfd542 100644 --- a/usr/src/lib/gss_mechs/mech_krb5/mech/util_localhost.c +++ b/usr/src/lib/gss_mechs/mech_krb5/mech/util_localhost.c @@ -1,5 +1,5 @@ /* - * Copyright 2002 Sun Microsystems, Inc. All rights reserved. + * Copyright 2007 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -7,7 +7,7 @@ /* * Copyright 1993 by OpenVision Technologies, Inc. - * + * * Permission to use, copy, modify, distribute, and sell this software * and its documentation for any purpose is hereby granted without fee, * provided that the above copyright notice appears in all copies and @@ -17,7 +17,7 @@ * without specific, written prior permission. OpenVision makes no * representations about the suitability of this software for any * purpose. It is provided "as is" without express or implied warranty. - * + * * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR @@ -28,20 +28,16 @@ */ /* - * $Id: util_localhost.c,v 1.1 1996/04/12 00:39:38 marc Exp $ + * $Id: util_localhost.c 7797 1996-04-12 00:40:24Z marc $ */ /* This file could be OS specific */ -/* - * Solaris Kerberos: the MAXHOSTNAMELEN is defined in <netdb.h> not - * in <sys/param.h>, and gethostname requires <unistd.h> - */ -#include <unistd.h> -#include <netdb.h> -#include <string.h> +#include <sys/param.h> -#include <gssapiP_generic.h> +#include "gssapiP_generic.h" +#include <strings.h> /* SUNW15resync */ +#include <unistd.h> /* SUNW15resync */ #ifndef MAXHOSTNAMELEN #define MAXHOSTNAMELEN 64 diff --git a/usr/src/lib/gss_mechs/mech_krb5/mech/utl_nohash_validate.c b/usr/src/lib/gss_mechs/mech_krb5/mech/utl_nohash_validate.c index 507cae8f12..5268771617 100644 --- a/usr/src/lib/gss_mechs/mech_krb5/mech/utl_nohash_validate.c +++ b/usr/src/lib/gss_mechs/mech_krb5/mech/utl_nohash_validate.c @@ -1,4 +1,5 @@ #pragma ident "%Z%%M% %I% %E% SMI" + /* * Copyright 1990,1994 by the Massachusetts Institute of Technology. * All Rights Reserved. @@ -15,7 +16,10 @@ * this permission notice appear in supporting documentation, and that * the name of M.I.T. not be used in advertising or publicity pertaining * to distribution of the software without specific, written prior - * permission. M.I.T. makes no representations about the suitability of + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. * @@ -25,7 +29,7 @@ * stub functions for those without the hash library. */ -#include <gssapiP_generic.h> +#include "gssapiP_generic.h" #ifdef HAVE_SYS_TYPES_H #include <sys/types.h> @@ -56,6 +60,12 @@ int g_save_ctx_id(vdb, ctx) { return 1; } +int g_save_lucidctx_id(vdb, lctx) + void **vdb; + void *lctx; +{ + return 1; +} /* validate */ @@ -77,6 +87,12 @@ int g_validate_ctx_id(vdb, ctx) { return 1; } +int g_validate_lucidctx_id(vdb, lctx) + void **vdb; + void *lctx; +{ + return 1; +} /* delete */ @@ -98,4 +114,10 @@ int g_delete_ctx_id(vdb, ctx) { return 1; } +int g_delete_lucidctx_id(vdb, lctx) + void **vdb; + void *lctx; +{ + return 1; +} diff --git a/usr/src/lib/krb5/kadm5/clnt/client_init.c b/usr/src/lib/krb5/kadm5/clnt/client_init.c index 338b4593c7..5064977d62 100644 --- a/usr/src/lib/krb5/kadm5/clnt/client_init.c +++ b/usr/src/lib/krb5/kadm5/clnt/client_init.c @@ -773,8 +773,7 @@ static kadm5_ret_t _kadm5_init_any(char *client_name, } else { input_name.value = service_name; input_name.length = strlen((char *)input_name.value) + 1; - gssstat = krb5_gss_import_name(handle->context, - &minor_stat, + gssstat = krb5_gss_import_name(&minor_stat, &input_name, (gss_OID)GSS_C_NT_HOSTBASED_SERVICE, (gss_name_t *)&creds.server); diff --git a/usr/src/lib/libgss/g_acquire_cred.c b/usr/src/lib/libgss/g_acquire_cred.c index b2a9451538..12d3bda4ed 100644 --- a/usr/src/lib/libgss/g_acquire_cred.c +++ b/usr/src/lib/libgss/g_acquire_cred.c @@ -36,6 +36,7 @@ #include <string.h> #include <errno.h> #include <time.h> + /* local functions */ static gss_OID_set create_actual_mechs(const gss_OID, int); diff --git a/usr/src/lib/libgss/g_canon_name.c b/usr/src/lib/libgss/g_canon_name.c index 60debfa16e..6dcdc9606e 100644 --- a/usr/src/lib/libgss/g_canon_name.c +++ b/usr/src/lib/libgss/g_canon_name.c @@ -2,9 +2,8 @@ * CDDL HEADER START * * The contents of this file are subject to the terms of the - * Common Development and Distribution License, Version 1.0 only - * (the "License"). You may not use this file except in compliance - * with the License. + * Common Development and Distribution License (the "License"). + * You may not use this file except in compliance with the License. * * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE * or http://www.opensolaris.org/os/licensing. @@ -20,7 +19,7 @@ * CDDL HEADER END */ /* - * Copyright 2004 Sun Microsystems, Inc. All rights reserved. + * Copyright 2007 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -93,7 +92,7 @@ gss_name_t *output_name; out_union->external_name = 0; /* Allocate the buffer for the user specified representation */ - if (__gss_create_copy_buffer(in_union->external_name, + if (gssint_create_copy_buffer(in_union->external_name, &out_union->external_name, 1)) goto allocation_failure; diff --git a/usr/src/lib/libgss/g_dup_name.c b/usr/src/lib/libgss/g_dup_name.c index 29079d22d0..e60220581b 100644 --- a/usr/src/lib/libgss/g_dup_name.c +++ b/usr/src/lib/libgss/g_dup_name.c @@ -2,9 +2,8 @@ * CDDL HEADER START * * The contents of this file are subject to the terms of the - * Common Development and Distribution License, Version 1.0 only - * (the "License"). You may not use this file except in compliance - * with the License. + * Common Development and Distribution License (the "License"). + * You may not use this file except in compliance with the License. * * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE * or http://www.opensolaris.org/os/licensing. @@ -20,7 +19,7 @@ * CDDL HEADER END */ /* - * Copyright 2004 Sun Microsystems, Inc. All rights reserved. + * Copyright 2007 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -82,7 +81,7 @@ gss_name_t *dest_name; dest_union->external_name = 0; /* Now copy the external representaion */ - if (__gss_create_copy_buffer(src_union->external_name, + if (gssint_create_copy_buffer(src_union->external_name, &dest_union->external_name, 0)) goto allocation_failure; diff --git a/usr/src/lib/libgss/g_glue.c b/usr/src/lib/libgss/g_glue.c index f01c1d29c7..e402dc67b8 100644 --- a/usr/src/lib/libgss/g_glue.c +++ b/usr/src/lib/libgss/g_glue.c @@ -2,9 +2,8 @@ * CDDL HEADER START * * The contents of this file are subject to the terms of the - * Common Development and Distribution License, Version 1.0 only - * (the "License"). You may not use this file except in compliance - * with the License. + * Common Development and Distribution License (the "License"). + * You may not use this file except in compliance with the License. * * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE * or http://www.opensolaris.org/os/licensing. @@ -20,7 +19,7 @@ * CDDL HEADER END */ /* - * Copyright 2004 Sun Microsystems, Inc. All rights reserved. + * Copyright 2007 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -546,7 +545,7 @@ __gss_get_mechanism_cred(union_cred, mech_type) * Both space for the structure and the data is allocated. */ OM_uint32 -__gss_create_copy_buffer(srcBuf, destBuf, addNullChar) +gssint_create_copy_buffer(srcBuf, destBuf, addNullChar) const gss_buffer_t srcBuf; gss_buffer_t *destBuf; int addNullChar; diff --git a/usr/src/lib/libgss/g_imp_name.c b/usr/src/lib/libgss/g_imp_name.c index d678d1b55c..9f3a58f62c 100644 --- a/usr/src/lib/libgss/g_imp_name.c +++ b/usr/src/lib/libgss/g_imp_name.c @@ -2,9 +2,8 @@ * CDDL HEADER START * * The contents of this file are subject to the terms of the - * Common Development and Distribution License, Version 1.0 only - * (the "License"). You may not use this file except in compliance - * with the License. + * Common Development and Distribution License (the "License"). + * You may not use this file except in compliance with the License. * * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE * or http://www.opensolaris.org/os/licensing. @@ -20,7 +19,7 @@ * CDDL HEADER END */ /* - * Copyright 2004 Sun Microsystems, Inc. All rights reserved. + * Copyright 2007 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -94,7 +93,7 @@ gss_name_t *output_name; * rule is when the name of GSS_C_NT_EXPORT_NAME type. If that is * the case, then we make it MN in this call. */ - major_status = __gss_create_copy_buffer(input_name_buffer, + major_status = gssint_create_copy_buffer(input_name_buffer, &union_name->external_name, 0); if (major_status != GSS_S_COMPLETE) { free(union_name); |